diff --git a/creusot-contracts/src/logic/fset.rs b/creusot-contracts/src/logic/fset.rs index 9ebd35b76..469bbb09c 100644 --- a/creusot-contracts/src/logic/fset.rs +++ b/creusot-contracts/src/logic/fset.rs @@ -114,6 +114,17 @@ impl FSet { dead } + /// Returns a new set, which is the union of `self` and `other`. + /// + /// An element is in the result if it is in `self` _or_ if it is in `other`. + #[trusted] + #[logic] + #[creusot::builtins = "set.Fset.inter"] + pub fn intersection(self, other: Self) -> Self { + let _ = other; + dead + } + /// Returns `true` if every element of `self` is in `other`. #[trusted] #[predicate] diff --git a/creusot-contracts/src/logic/seq.rs b/creusot-contracts/src/logic/seq.rs index d28a4a84b..8146bbd1b 100644 --- a/creusot-contracts/src/logic/seq.rs +++ b/creusot-contracts/src/logic/seq.rs @@ -376,6 +376,16 @@ impl Seq { { self.sorted_range(0, self.len()) } + + #[open] + #[logic] + #[ensures(forall, b: Seq, x: T> + a.concat(b).contains(x) == a.contains(x) || b.contains(x))] + pub fn concat_contains() + where + T: Sized, + { + } } impl Seq<&T> { diff --git a/creusot-contracts/src/std.rs b/creusot-contracts/src/std.rs index ec8370106..08c594887 100644 --- a/creusot-contracts/src/std.rs +++ b/creusot-contracts/src/std.rs @@ -3,6 +3,10 @@ pub use ::std::*; pub mod array; pub mod boxed; pub mod clone; +pub mod collections { + pub mod hash_map; + pub mod hash_set; +} pub mod cmp; pub mod default; pub mod deque; diff --git a/creusot-contracts/src/std/collections/hash_map.rs b/creusot-contracts/src/std/collections/hash_map.rs new file mode 100644 index 000000000..534a0edeb --- /dev/null +++ b/creusot-contracts/src/std/collections/hash_map.rs @@ -0,0 +1,244 @@ +use crate::{ + logic::FMap, + std::iter::{FromIterator, IntoIterator, Iterator}, + *, +}; +use ::std::{ + collections::hash_map::*, + default::Default, + hash::{BuildHasher, Hash}, +}; + +impl View for HashMap { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +extern_spec! { + mod std { + mod collections { + mod hash_map { + impl HashMap { + #[ensures(self@ == result@)] + fn iter(&self) -> Iter<'_, K, V>; + + #[ensures(self.into_iter_post(result))] + fn iter_mut(&mut self) -> IterMut<'_, K, V>; + } + } + } + } +} + +impl<'a, K, V> View for Iter<'a, K, V> { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, K, V> Iterator for Iter<'a, K, V> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((&k, &v)) + ==> self@.get(k) == Some(v) && o@.get(k) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !(exists visited.contains((&k, &v2)))) + && (forall self@.get(k) == Some(v) + ==> visited.contains((&k, &v)) || (o@.get(k) == Some(v))) + && (forall + visited.get(i1) == Some((k, v1)) && visited.get(i2) == Some((k, v2)) + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl View for IntoIter { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl Iterator for IntoIter { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((k, v)) + ==> self@.get(k) == Some(v) && o@.get(k) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !(exists visited.contains((k, v2)))) + && (forall self@.get(k) == Some(v) + ==> visited.contains((k, v)) || (o@.get(k) == Some(v))) + && (forall + visited.get(i1) == Some((k, v1)) && visited.get(i2) == Some((k, v2)) + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl<'a, K, V> View for IterMut<'a, K, V> { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, K, V> Iterator for IterMut<'a, K, V> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((&k, v)) + ==> self@.get(k) == Some(v) && o@.get(k) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !(exists visited.contains((&k, v2)))) + && (forall self@.get(k) == Some(v) + ==> visited.contains((&k, v)) || (o@.get(k) == Some(v))) + && (forall + visited.get(i1) == Some((k, v1)) && visited.get(i2) == Some((k, v2)) + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl IntoIterator for HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &mut HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate(prophetic)] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { forall (*self)@.contains(k) == (^self)@.contains(k) + && (forall (*self)@.contains(k) == res@.contains(k)) + && forall (*self)@.contains(k) ==> (*self)@[k] == *res@[k] && (^self)@[k] == ^res@[k] } + } +} + +impl FromIterator<(K, V)> for HashMap { + #[predicate] + #[open] + fn from_iter_post(prod: Seq<(K, V)>, res: Self) -> bool { + pearlite! { forall (res@.get(k) == Some(v)) + == (exists 0 <= i && i < prod.len() && prod[i] == (k, v) + && forall i < j && j < prod.len() ==> prod[j].0 != k) } + } +} diff --git a/creusot-contracts/src/std/collections/hash_set.rs b/creusot-contracts/src/std/collections/hash_set.rs new file mode 100644 index 000000000..1d7f75b4d --- /dev/null +++ b/creusot-contracts/src/std/collections/hash_set.rs @@ -0,0 +1,221 @@ +use crate::{ + logic::FSet, + std::iter::{FromIterator, IntoIterator, Iterator}, + *, +}; +use ::std::{collections::hash_set::*, hash::*}; + +impl View for HashSet { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +extern_spec! { + mod std { + mod collections { + mod hash_set { + impl HashSet { + #[ensures(self@ == result@)] + fn iter(&self) -> Iter<'_, T>; + } + impl HashSet + where + T: Eq + Hash, + S: BuildHasher, + { + #[ensures(result@ == self@.intersection(other@))] + fn intersection<'a>(&'a self, other: &'a HashSet) -> Intersection<'a, T, S>; + } + } + } + } +} + +impl<'a, T> View for Iter<'a, T> { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, T> Iterator for Iter<'a, T> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + pearlite! { self@.len() == visited.len() + o@.len() + && (forall self@.contains(x) ==> visited.contains(&x) || o@.contains(x)) + && (forall visited.contains(&x) ==> self@.contains(x) && !o@.contains(x)) + && (forall o@.contains(x) ==> self@.contains(x) && !visited.contains(&x)) + && (forall + 0 <= i && i < visited.len() && 0 <= j && j < visited.len() + && *visited[i] == x && *visited[j] == x + ==> i == j) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + Seq::::concat_contains(); + proof_assert! { forall ab.len() <= i && ab.concat(bc).get(i) == Some(x) ==> bc.contains(x) }; + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] }; + } +} + +impl View for IntoIter { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl Iterator for IntoIter { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + pearlite! { self@.len() == visited.len() + o@.len() + && (forall self@.contains(x) ==> visited.contains(x) || o@.contains(x)) + && (forall visited.contains(x) ==> self@.contains(x) && !o@.contains(x)) + && (forall o@.contains(x) ==> self@.contains(x) && !visited.contains(x)) + && (forall + 0 <= i && i < visited.len() && 0 <= j && j < visited.len() + && visited[i] == x && visited[j] == x + ==> i == j) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + Seq::::concat_contains(); + proof_assert! { forall ab.len() <= i && ab.concat(bc).get(i) == Some(x) ==> bc.contains(x) }; + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] }; + } +} + +impl IntoIterator for HashSet { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &HashSet { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl FromIterator for HashSet { + #[predicate] + #[open] + fn from_iter_post(prod: Seq, res: Self) -> bool { + pearlite! { forall res@.contains(x) == prod.contains(x) } + } +} + +impl<'a, T, S> View for Intersection<'a, T, S> { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, T: Eq + Hash, S: BuildHasher> Iterator for Intersection<'a, T, S> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + pearlite! { self@.len() == visited.len() + o@.len() + && (forall self@.contains(x) ==> visited.contains(&x) || o@.contains(x)) + && (forall visited.contains(&x) ==> self@.contains(x) && !o@.contains(x)) + && (forall o@.contains(x) ==> self@.contains(x) && !visited.contains(&x)) + && (forall + 0 <= i && i < visited.len() && 0 <= j && j < visited.len() + && visited[i] == &x && visited[j] == &x + ==> i == j) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + Seq::::concat_contains(); + proof_assert! { forall ab.len() <= i && ab.concat(bc).get(i) == Some(x) ==> bc.contains(x) }; + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] }; + } +} diff --git a/creusot-contracts/src/std/default.rs b/creusot-contracts/src/std/default.rs index b1770f27a..a96b6e45d 100644 --- a/creusot-contracts/src/std/default.rs +++ b/creusot-contracts/src/std/default.rs @@ -24,3 +24,13 @@ impl Default for bool { pearlite! { self == false } } } + +// `RandomState::default()` is defined as `RandomState::new()` +// which produces random values. +impl Default for std::hash::RandomState { + #[predicate] + #[open] + fn is_default(self) -> bool { + pearlite! { true } + } +} diff --git a/creusot/tests/creusot-contracts/creusot-contracts.coma b/creusot/tests/creusot-contracts/creusot-contracts.coma index 95709096a..e044913d3 100644 --- a/creusot/tests/creusot-contracts/creusot-contracts.coma +++ b/creusot/tests/creusot-contracts/creusot-contracts.coma @@ -92,2802 +92,3531 @@ module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_ goal vc_produces_trans'0 : ([%#sarray1] produces'0 b bc c) -> ([%#sarray0] produces'0 a ab b) -> ([%#sarray2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_le_log [#"../../../creusot-contracts/src/std/cmp.rs" 88 4 88 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 87 14 87 64 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 85 4 85 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 78 4 78 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 77 14 77 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 75 4 75 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_T'0 + use seq.Seq - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + use prelude.prelude.Borrow - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_K'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + type t_V'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use prelude.prelude.UInt16 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.UIntSize - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_FMap'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_Iter'0) : t_FMap'0 + - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Int - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 + [%#sfmap7] Map.get (view'1 self) k + + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x end - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) + + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + [%#sseq6] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - constant x : t_Reverse'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - constant y : t_Reverse'0 + constant self : t_Iter'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 88 4 88 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 78 4 78 26] (self : t_Iter'0) : () - goal vc_cmp_le_log'0 : [%#scmp0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_lt_log [#"../../../creusot-contracts/src/std/cmp.rs" 93 4 93 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 92 14 92 61 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 90 4 90 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 85 4 85 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 82 15 82 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 83 15 83 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 84 14 84 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 86 24 86 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 86 8 86 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_T'0 + use prelude.prelude.UInt16 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Borrow - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_K'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_V'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_FMap'0 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_Iter'0) : t_FMap'0 + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + [%#sfmap10] Map.get (view'1 self) k - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = - [%#sord2] cmp_log'0 self o = C_Less'0 + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - constant x : t_Reverse'0 + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - constant y : t_Reverse'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq9] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 93 4 93 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - goal vc_cmp_lt_log'0 : [%#scmp0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_ge_log [#"../../../creusot-contracts/src/std/cmp.rs" 98 4 98 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 97 14 97 61 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 95 4 95 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use seq.Seq - type t_T'0 + constant a : t_Iter'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + constant ab : Seq.seq (t_K'0, t_V'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + constant b : t_Iter'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + constant bc : Seq.seq (t_K'0, t_V'0) + + constant c : t_Iter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 85 4 85 90] (a : t_Iter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_Iter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_Iter'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 129 4 129 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 128 14 128 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 126 4 126 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_K'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + type t_V'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.UInt16 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Opaque - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.UIntSize - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_FMap'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 96 4 96 33] (self : t_IntoIter'0) : t_FMap'0 + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 + + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + + = + [%#sfmap7] Map.get (view'1 self) k + + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x end - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) + + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 = - [%#sord2] cmp_log'0 self o <> C_Less'0 + [%#sseq6] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - constant x : t_Reverse'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 104 4 104 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - constant y : t_Reverse'0 + constant self : t_IntoIter'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 98 4 98 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 129 4 129 26] (self : t_IntoIter'0) : () - goal vc_cmp_ge_log'0 : [%#scmp0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_gt_log [#"../../../creusot-contracts/src/std/cmp.rs" 103 4 103 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 102 14 102 64 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 100 4 100 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 136 4 136 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 133 15 133 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 134 15 134 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 135 14 135 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 137 24 137 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 137 8 137 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_T'0 + use prelude.prelude.UInt16 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_K'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_V'0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_FMap'0 - axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 96 4 96 33] (self : t_IntoIter'0) : t_FMap'0 + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + [%#sfmap10] Map.get (view'1 self) k - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = - [%#sord2] cmp_log'0 self o = C_Greater'0 + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - constant x : t_Reverse'0 + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - constant y : t_Reverse'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq9] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 103 4 103 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 104 4 104 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - goal vc_cmp_gt_log'0 : [%#scmp0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__refl [#"../../../creusot-contracts/src/std/cmp.rs" 108 4 108 20] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 107 14 107 45 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 105 4 105 10 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use seq.Seq - type t_T'0 + constant a : t_IntoIter'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + constant ab : Seq.seq (t_K'0, t_V'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + constant b : t_IntoIter'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + constant bc : Seq.seq (t_K'0, t_V'0) + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 136 4 136 90] (a : t_IntoIter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_IntoIter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_IntoIter'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 179 14 179 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 177 4 177 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + type t_K'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_V'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.UInt16 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.Opaque - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.UIntSize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_FMap'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 147 4 147 33] (self : t_IterMut'0) : t_FMap'0 + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) = - [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - constant x : t_Reverse'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - function refl'0 [#"../../../creusot-contracts/src/std/cmp.rs" 108 4 108 20] (x : t_Reverse'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) - goal vc_refl'0 : [%#scmp0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__trans [#"../../../creusot-contracts/src/std/cmp.rs" 115 4 115 52] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 112 15 112 32 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 113 15 113 32 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 114 14 114 31 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 110 4 110 10 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 - - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } - - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use map.Map - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use map.Map - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + + = + [%#sfmap7] Map.get (view'1 self) k - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, borrowed t_V'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'2 + = + [%#sseq6] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 155 4 155 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'1 visited i1 + = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant self : t_IterMut'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 26] (self : t_IterMut'0) : () + - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 187 4 187 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 184 15 184 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 185 15 185 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 186 14 186 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 188 24 188 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 188 8 188 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UInt16 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use prelude.prelude.UIntSize - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp4] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + use prelude.prelude.Borrow - constant x : t_Reverse'0 + type t_K'0 - constant y : t_Reverse'0 + type t_V'0 - constant z : t_Reverse'0 + use seq.Seq - constant o : t_Ordering'0 + type t_FMap'0 - function trans'0 [#"../../../creusot-contracts/src/std/cmp.rs" 115 4 115 52] (x : t_Reverse'0) (y : t_Reverse'0) (z : t_Reverse'0) (o : t_Ordering'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 147 4 147 33] (self : t_IterMut'0) : t_FMap'0 - goal vc_trans'0 : ([%#scmp1] cmp_log'0 y z = o) -> ([%#scmp0] cmp_log'0 x y = o) -> ([%#scmp2] cmp_log'0 x z = o) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym1 [#"../../../creusot-contracts/src/std/cmp.rs" 121 4 121 33] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 119 15 119 45 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 120 14 120 47 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 117 4 117 10 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Int - type t_T'0 + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use map.Map - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use map.Map - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + = + [%#sfmap10] Map.get (view'1 self) k - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, borrowed t_V'0) - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq9] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 155 4 155 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'1 visited i1 + = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + constant a : t_IterMut'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + constant ab : Seq.seq (t_K'0, borrowed t_V'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + constant b : t_IterMut'0 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + constant bc : Seq.seq (t_K'0, borrowed t_V'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + constant c : t_IterMut'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 187 4 187 90] (a : t_IterMut'0) (ab : Seq.seq (t_K'0, borrowed t_V'0)) (b : t_IterMut'0) (bc : Seq.seq (t_K'0, borrowed t_V'0)) (c : t_IterMut'0) : () + - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 75 4 75 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 74 14 74 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 4 72 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_T'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + use seq.Seq - constant x : t_Reverse'0 + use prelude.prelude.UInt16 - constant y : t_Reverse'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function antisym1'0 [#"../../../creusot-contracts/src/std/cmp.rs" 121 4 121 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - goal vc_antisym1'0 : ([%#scmp0] cmp_log'0 x y = C_Less'0) -> ([%#scmp1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym2 [#"../../../creusot-contracts/src/std/cmp.rs" 127 4 127 33] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 125 15 125 48 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 126 14 126 44 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 123 4 123 10 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Opaque - type t_T'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use set.Fset - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_Iter'0) : Fset.fset t_T'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use set.Fset - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.Int - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use set.Fset - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset3] Fset.mem e self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 54 4 54 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#shash_set2] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + constant self : t_Iter'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 75 4 75 26] (self : t_Iter'0) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 82 4 82 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 79 15 79 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 80 15 80 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 14 81 42 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 84 24 84 121 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 85 24 85 102 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 83 8 83 44 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span sseq8 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfset11 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UInt16 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - constant x : t_Reverse'0 + use prelude.prelude.Opaque - constant y : t_Reverse'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/std/cmp.rs" 127 4 127 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - goal vc_antisym2'0 : ([%#scmp0] cmp_log'0 x y = C_Greater'0) -> ([%#scmp1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__eq_cmp [#"../../../creusot-contracts/src/std/cmp.rs" 132 4 132 31] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 131 14 131 59 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 129 4 129 10 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - type t_T'0 + use prelude.prelude.UIntSize - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + type t_T'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + use set.Fset - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_Iter'0) : Fset.fset t_T'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use set.Fset - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.Int - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use set.Fset - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate contains'1 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset11] Fset.mem e self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 54 4 54 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#shash_set7] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'1 (view'0 self) x -> contains'0 visited x \/ contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 visited x -> contains'1 (view'0 self) x /\ not contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 (view'0 o) x -> contains'1 (view'0 self) x /\ not contains'0 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use seq.Seq - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq8] () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom concat_contains'0_spec : forall _1 : () . [%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function get'0 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq t_T'0) (ix : int) : t_Option'0 + + = + [%#sseq10] if 0 <= ix /\ ix < Seq.length self then C_Some'0 (Seq.get self ix) else C_None'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + constant a : t_Iter'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + constant ab : Seq.seq t_T'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + constant b : t_Iter'0 - constant x : t_Reverse'0 + constant bc : Seq.seq t_T'0 - constant y : t_Reverse'0 + constant c : t_Iter'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/std/cmp.rs" 132 4 132 31] (x : t_Reverse'0) (y : t_Reverse'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 82 4 82 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + - goal vc_eq_cmp'0 : [%#scmp0] (x = y) = (cmp_log'0 x y = C_Equal'0) + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> ([%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x = contains'0 a x + \/ contains'0 b x) + -> (let _ = concat_contains'0 () in ([%#shash_set4] forall i : int, x : t_T'0 . Seq.length ab <= i + /\ get'0 (Seq.(++) ab bc) i = C_Some'0 x -> contains'0 bc x) + && (let _ = () in let _ = () in ([%#shash_set5] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in let _ = () in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c))) end -module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_refl [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (* as std::iter::Iterator> *) - let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 177 14 177 45 - let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 175 4 175 10 - let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 124 4 124 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 123 14 123 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 121 4 121 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 use seq.Seq - use prelude.prelude.Borrow - type t_T'0 use seq.Seq - use prelude.prelude.Opaque + use prelude.prelude.UInt16 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Iter'1 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - type t_Iter'0 = - { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } + use prelude.prelude.Opaque - use prelude.prelude.Slice + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - use seq.Seq + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - use seq.Seq + use prelude.prelude.UIntSize - use seq.Seq + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - use prelude.prelude.UIntSize + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - use prelude.prelude.UIntSize + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - use prelude.prelude.Int + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - use prelude.prelude.Slice + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice8] view'2 self = Slice.id self) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel5] view'2 self + use set.Fset - use seq.Seq + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 95 4 95 33] (self : t_IntoIter'0) : Fset.fset t_T'0 + + + use set.Fset use seq.Seq - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex6] Seq.get (view'2 self) ix + use prelude.prelude.Int - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 + use set.Fset - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset3] Fset.mem e self use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 103 4 103 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = - [%#sdeque2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) + [%#shash_set2] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - constant self : t_Iter'0 + constant self : t_IntoIter'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (self : t_Iter'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 124 4 124 26] (self : t_IntoIter'0) : () + - goal vc_produces_refl'0 : [%#sdeque0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_trans [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (* as std::iter::Iterator> *) - let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 182 15 182 32 - let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 183 15 183 32 - let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 184 14 184 42 - let%span sdeque3 = "../../../creusot-contracts/src/std/deque.rs" 180 4 180 10 - let%span sdeque4 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 131 4 131 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 128 15 128 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 15 129 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 130 14 130 42 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 133 24 133 121 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 134 24 134 102 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 132 8 132 44 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span sseq8 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfset11 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } use prelude.prelude.Opaque + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + use prelude.prelude.UIntSize + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + type t_NonNull'0 = { t_NonNull__pointer'0: opaque_ptr } - type t_Iter'1 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - type t_Iter'0 = - { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } + type t_Option'1 = + | C_None'1 + | C_Some'1 (t_NonNull'0, t_Layout'0, ()) - use prelude.prelude.Borrow + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'1; t_RawIntoIter__marker'0: () } + + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } type t_T'0 use seq.Seq - use prelude.prelude.Slice + use set.Fset - function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 95 4 95 33] (self : t_IntoIter'0) : Fset.fset t_T'0 + - use seq.Seq + use set.Fset use seq.Seq - use seq.Seq + use prelude.prelude.Int - use prelude.prelude.UIntSize + use set.Fset - constant v_MAX'0 : usize = (18446744073709551615 : usize) + predicate contains'1 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset11] Fset.mem e self - use prelude.prelude.UIntSize + use seq.Seq - use prelude.prelude.Int + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - use prelude.prelude.Slice + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 103 4 103 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#shash_set7] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'1 (view'0 self) x -> contains'0 visited x \/ contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 visited x -> contains'1 (view'0 self) x /\ not contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 (view'0 o) x -> contains'1 (view'0 self) x /\ not contains'0 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + use seq.Seq - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice10] view'2 self = Slice.id self) - - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel7] view'2 self - - use seq.Seq - - use seq.Seq - - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex8] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq8] () - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + axiom concat_contains'0_spec : forall _1 : () . [%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function get'0 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq t_T'0) (ix : int) : t_Option'0 = - [%#sdeque4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) + [%#sseq10] if 0 <= ix /\ ix < Seq.length self then C_Some'0 (Seq.get self ix) else C_None'0 - constant a : t_Iter'0 + constant a : t_IntoIter'0 constant ab : Seq.seq t_T'0 - constant b : t_Iter'0 + constant b : t_IntoIter'0 constant bc : Seq.seq t_T'0 - constant c : t_Iter'0 + constant c : t_IntoIter'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 131 4 131 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - goal vc_produces_trans'0 : ([%#sdeque1] produces'0 b bc c) - -> ([%#sdeque0] produces'0 a ab b) -> ([%#sdeque2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> ([%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x = contains'0 a x + \/ contains'0 b x) + -> (let _ = concat_contains'0 () in ([%#shash_set4] forall i : int, x : t_T'0 . Seq.length ab <= i + /\ get'0 (Seq.(++) ab bc) i = C_Some'0 x -> contains'0 bc x) + && (let _ = () in let _ = () in ([%#shash_set5] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in let _ = () in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c))) end -module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_refl [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (* as std::iter::Iterator> *) - let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 57 14 57 45 - let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 55 4 55 10 - let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 - let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 209 4 209 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 208 14 208 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 206 4 206 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 use seq.Seq + use prelude.prelude.Borrow + type t_T'0 use seq.Seq - type t_I'0 + use prelude.prelude.UInt16 - type t_Cloned'0 = - { t_Cloned__it'0: t_I'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - use prelude.prelude.Borrow + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - use seq.Seq + use prelude.prelude.Opaque - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x - = match x with - | {t_Cloned__it'0 = it} -> inv'1 it - end + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + use prelude.prelude.UIntSize - axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned3] inv'0 self -> inv'1 (iter'0 self) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - use seq.Seq + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - use seq.Seq + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + type t_S'0 - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - use seq.Seq + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 180 4 180 33] (self : t_Intersection'0) : Fset.fset t_T'0 + + + use set.Fset use seq.Seq use prelude.prelude.Int - use seq.Seq + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset3] Fset.mem e self use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 188 4 188 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = - [%#scloned2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [%#shash_set2] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - constant self : t_Cloned'0 + constant self : t_Intersection'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (self : t_Cloned'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 209 4 209 26] (self : t_Intersection'0) : () + - goal vc_produces_refl'0 : [%#scloned0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_trans [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (* as std::iter::Iterator> *) - let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 62 15 62 32 - let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 63 15 63 32 - let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 64 14 64 42 - let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 60 4 60 10 - let%span scloned4 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 - let%span scloned5 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 213 15 213 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 214 15 214 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 215 14 215 42 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 218 24 218 121 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 219 24 219 102 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 217 8 217 44 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sseq8 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfset11 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 - type t_I'0 + use prelude.prelude.UInt16 - type t_Cloned'0 = - { t_Cloned__it'0: t_I'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_T'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - use seq.Seq + use prelude.prelude.Opaque - use prelude.prelude.Borrow + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - use seq.Seq + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) + use prelude.prelude.UIntSize - axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x - = match x with - | {t_Cloned__it'0 = it} -> inv'1 it - end + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned5] inv'0 self -> inv'1 (iter'0 self) + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - use seq.Seq + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - use seq.Seq + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + use prelude.prelude.Borrow - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + type t_S'0 - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + type t_T'0 use seq.Seq + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 180 4 180 33] (self : t_Intersection'0) : Fset.fset t_T'0 + + + use set.Fset + use seq.Seq use prelude.prelude.Int - use seq.Seq + use set.Fset + + predicate contains'1 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset11] Fset.mem e self use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 188 4 188 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = - [%#scloned4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [%#shash_set7] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'1 (view'0 self) x -> contains'0 visited x \/ contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 visited x -> contains'1 (view'0 self) x /\ not contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 (view'0 o) x -> contains'1 (view'0 self) x /\ not contains'0 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) use seq.Seq - constant a : t_Cloned'0 + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq8] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + function get'0 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq t_T'0) (ix : int) : t_Option'0 + + = + [%#sseq10] if 0 <= ix /\ ix < Seq.length self then C_Some'0 (Seq.get self ix) else C_None'0 + + constant a : t_Intersection'0 constant ab : Seq.seq t_T'0 - constant b : t_Cloned'0 + constant b : t_Intersection'0 constant bc : Seq.seq t_T'0 - constant c : t_Cloned'0 + constant c : t_Intersection'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (a : t_Cloned'0) (ab : Seq.seq t_T'0) (b : t_Cloned'0) (bc : Seq.seq t_T'0) (c : t_Cloned'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 90] (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () - goal vc_produces_trans'0 : ([%#scloned1] produces'0 b bc c) - -> ([%#scloned0] produces'0 a ab b) -> ([%#scloned2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> ([%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x = contains'0 a x + \/ contains'0 b x) + -> (let _ = concat_contains'0 () in ([%#shash_set4] forall i : int, x : t_T'0 . Seq.length ab <= i + /\ get'0 (Seq.(++) ab bc) i = C_Some'0 x -> contains'0 bc x) + && (let _ = () in let _ = () in ([%#shash_set5] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in let _ = () in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c))) end -module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_refl [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (* as std::iter::Iterator> *) - let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 - let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 55 4 55 10 - let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 - let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_le_log [#"../../../creusot-contracts/src/std/cmp.rs" 88 4 88 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 87 14 87 64 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 85 4 85 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - type t_I'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_Copied'0 = - { t_Copied__it'0: t_I'0 } + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - use prelude.prelude.Borrow + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x - = match x with - | {t_Copied__it'0 = it} -> inv'1 it - end + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied3] inv'0 self -> inv'1 (iter'0 self) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use prelude.prelude.Int + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 = - [%#scopied2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - constant self : t_Copied'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Greater'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (self : t_Copied'0) : () + constant x : t_Reverse'0 - goal vc_produces_refl'0 : [%#scopied0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_trans [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (* as std::iter::Iterator> *) - let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 - let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 - let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 - let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 60 4 60 10 - let%span scopied4 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 - let%span scopied5 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + constant y : t_Reverse'0 - type t_I'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 88 4 88 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - type t_Copied'0 = - { t_Copied__it'0: t_I'0 } + goal vc_cmp_le_log'0 : [%#scmp0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_lt_log [#"../../../creusot-contracts/src/std/cmp.rs" 93 4 93 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 92 14 92 61 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 90 4 90 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 type t_T'0 - use seq.Seq - - use prelude.prelude.Borrow + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x - = match x with - | {t_Copied__it'0 = it} -> inv'1 it - end + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'0 self -> inv'1 (iter'0 self) + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use seq.Seq + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) - - = - [%#scopied4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - constant a : t_Copied'0 + axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - constant ab : Seq.seq t_T'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - constant b : t_Copied'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - constant bc : Seq.seq t_T'0 + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - constant c : t_Copied'0 + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + = + [%#sord2] cmp_log'0 self o = C_Less'0 - goal vc_produces_trans'0 : ([%#scopied1] produces'0 b bc c) - -> ([%#scopied0] produces'0 a ab b) -> ([%#scopied2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_refl [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (* as std::iter::Iterator> *) - let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 18 14 18 45 - let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 16 4 16 10 - let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 93 4 93 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + + + goal vc_cmp_lt_log'0 : [%#scmp0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_ge_log [#"../../../creusot-contracts/src/std/cmp.rs" 98 4 98 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 97 14 97 61 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 95 4 95 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - type t_Empty'0 = - { t_Empty__0'0: () } + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - = - [%#sempty2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - constant self : t_Empty'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (self : t_Empty'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - goal vc_produces_refl'0 : [%#sempty0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_trans [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (* as std::iter::Iterator> *) - let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 23 15 23 32 - let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 24 15 24 32 - let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 25 14 25 42 - let%span sempty3 = "../../../creusot-contracts/src/std/iter/empty.rs" 21 4 21 10 - let%span sempty4 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_Empty'0 = - { t_Empty__0'0: () } + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - type t_T'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use seq.Seq + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - = - [%#sempty4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant a : t_Empty'0 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - constant ab : Seq.seq t_T'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - constant b : t_Empty'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - constant bc : Seq.seq t_T'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - constant c : t_Empty'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (a : t_Empty'0) (ab : Seq.seq t_T'0) (b : t_Empty'0) (bc : Seq.seq t_T'0) (c : t_Empty'0) : () - + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - goal vc_produces_trans'0 : ([%#sempty1] produces'0 b bc c) - -> ([%#sempty0] produces'0 a ab b) -> ([%#sempty2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_refl [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (* as std::iter::Iterator> *) - let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 82 14 82 45 - let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 80 4 80 10 - let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 - let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span senumerate8 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - use prelude.prelude.UIntSize + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - type t_Item'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - type t_I'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - type t_Enumerate'0 = - { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - use prelude.prelude.Int + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Less'0 - use seq.Seq + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 98 4 98 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + goal vc_cmp_ge_log'0 : [%#scmp0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_gt_log [#"../../../creusot-contracts/src/std/cmp.rs" 103 4 103 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 102 14 102 64 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 100 4 100 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - use seq.Seq + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.UIntSize + axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.Borrow + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate3] inv'0 self -> inv'1 (iter'0 self) + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = - [%#senumerate8] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i - -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) - /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter - end) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool = - [%#senumerate2] Seq.length visited = n'0 o - n'0 self - /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i - /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) + [%#sord2] cmp_log'0 self o = C_Greater'0 - constant self : t_Enumerate'0 + constant x : t_Reverse'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (self : t_Enumerate'0) : () + constant y : t_Reverse'0 + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 103 4 103 35] (x : t_Reverse'0) (y : t_Reverse'0) : () - goal vc_produces_refl'0 : [%#senumerate0] produces'0 self (Seq.empty : Seq.seq (usize, t_Item'0)) self + goal vc_cmp_gt_log'0 : [%#scmp0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_trans [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (* as std::iter::Iterator> *) - let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 87 15 87 32 - let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 88 15 88 32 - let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 89 14 89 42 - let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 85 4 85 10 - let%span senumerate4 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 - let%span senumerate5 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span senumerate10 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 - - type t_I'0 +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__refl [#"../../../creusot-contracts/src/std/cmp.rs" 108 4 108 20] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 107 14 107 45 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 105 4 105 10 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.UIntSize + type t_T'0 - type t_Enumerate'0 = - { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - type t_Item'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - use seq.Seq + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - use seq.Seq + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - constant v_MAX'0 : usize = (18446744073709551615 : usize) + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.UIntSize + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use prelude.prelude.Borrow + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate5] inv'0 self -> inv'1 (iter'0 self) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = - [%#senumerate10] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i - -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) - /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter - end) + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - use seq.Seq + constant x : t_Reverse'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + function refl'0 [#"../../../creusot-contracts/src/std/cmp.rs" 108 4 108 20] (x : t_Reverse'0) : () + + goal vc_refl'0 : [%#scmp0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__trans [#"../../../creusot-contracts/src/std/cmp.rs" 115 4 115 52] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 112 15 112 32 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 113 15 113 32 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 114 14 114 31 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 110 4 110 10 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - = - [%#senumerate4] Seq.length visited = n'0 o - n'0 self - /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i - /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) - use seq.Seq + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - constant a : t_Enumerate'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant ab : Seq.seq (usize, t_Item'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - constant b : t_Enumerate'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) - constant bc : Seq.seq (usize, t_Item'0) + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - constant c : t_Enumerate'0 + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (a : t_Enumerate'0) (ab : Seq.seq (usize, t_Item'0)) (b : t_Enumerate'0) (bc : Seq.seq (usize, t_Item'0)) (c : t_Enumerate'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - goal vc_produces_trans'0 : ([%#senumerate1] produces'0 b bc c) - -> ([%#senumerate0] produces'0 a ab b) -> ([%#senumerate2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_refl [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (* as std::iter::Iterator> *) - let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 105 14 105 45 - let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 103 4 103 10 - let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 - let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 - let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 - let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_Item'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - type t_I'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - type t_F'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_Filter'0 = - { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use prelude.prelude.Borrow + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () - + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops12] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp4] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops9] unnest'0 self b) - -> ([%#sops10] unnest'0 b c) -> ([%#sops11] unnest'0 self c) + constant x : t_Reverse'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + constant y : t_Reverse'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops8] unnest'0 self self + constant z : t_Reverse'0 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/std/cmp.rs" 115 4 115 52] (x : t_Reverse'0) (y : t_Reverse'0) (z : t_Reverse'0) (o : t_Ordering'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops6] postcondition_mut'0 self args res_state res) - -> ([%#sops7] unnest'0 self res_state) + goal vc_trans'0 : ([%#scmp1] cmp_log'0 y z = o) -> ([%#scmp0] cmp_log'0 x y = o) -> ([%#scmp2] cmp_log'0 x z = o) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym1 [#"../../../creusot-contracts/src/std/cmp.rs" 121 4 121 33] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 119 15 119 45 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 120 14 120 47 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 117 4 117 10 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = - [%#sfilter3] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) - /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) - /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true - /\ postcondition_mut'0 f1 (i) f2 false)) + type t_T'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' - end) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter4] inv'0 self -> inv'1 (func'0 self) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use map.Map + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter5] inv'0 self -> inv'2 (iter'0 self) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter14] produces'1 a ab b) - -> ([%#siter15] produces'1 b bc c) -> ([%#siter16] produces'1 a (Seq.(++) ab bc) c) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter13] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use seq.Seq + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use map.Map + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) - - = - [%#sfilter2] invariant'0 self - -> unnest'0 (func'0 self) (func'0 succ) - /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited - -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) - = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - constant self : t_Filter'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (self : t_Filter'0) : () + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - goal vc_produces_refl'0 : [%#sfilter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_trans [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (* as std::iter::Iterator> *) - let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 110 15 110 32 - let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 111 15 111 32 - let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 112 14 112 42 - let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 108 4 108 10 - let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 - let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 - let%span sfilter6 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 - let%span sfilter7 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - type t_I'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - type t_F'0 + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - type t_Filter'0 = - { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - type t_Item'0 + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use prelude.prelude.Borrow + function antisym1'0 [#"../../../creusot-contracts/src/std/cmp.rs" 121 4 121 33] (x : t_Reverse'0) (y : t_Reverse'0) : () + - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + goal vc_antisym1'0 : ([%#scmp0] cmp_log'0 x y = C_Less'0) -> ([%#scmp1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym2 [#"../../../creusot-contracts/src/std/cmp.rs" 127 4 127 33] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 125 15 125 48 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 126 14 126 44 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 123 4 123 10 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - + type t_T'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops14] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops11] unnest'0 self b) - -> ([%#sops12] unnest'0 b c) -> ([%#sops13] unnest'0 self c) + axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops10] unnest'0 self self + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops8] postcondition_mut'0 self args res_state res) - -> ([%#sops9] unnest'0 self res_state) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = - [%#sfilter5] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) - /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) - /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true - /\ postcondition_mut'0 f1 (i) f2 false)) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' - end) + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter6] inv'0 self -> inv'1 (func'0 self) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use map.Map + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter7] inv'0 self -> inv'2 (iter'0 self) + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use seq.Seq + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) - -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) + constant x : t_Reverse'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + constant y : t_Reverse'0 - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function antisym2'0 [#"../../../creusot-contracts/src/std/cmp.rs" 127 4 127 33] (x : t_Reverse'0) (y : t_Reverse'0) : () + - use seq.Seq + goal vc_antisym2'0 : ([%#scmp0] cmp_log'0 x y = C_Greater'0) -> ([%#scmp1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__eq_cmp [#"../../../creusot-contracts/src/std/cmp.rs" 132 4 132 31] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 131 14 131 59 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 129 4 129 10 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use map.Map + type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - = - [%#sfilter4] invariant'0 self - -> unnest'0 (func'0 self) (func'0 succ) - /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited - -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) - = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - constant a : t_Filter'0 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - constant ab : Seq.seq t_Item'0 + axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant b : t_Filter'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - constant bc : Seq.seq t_Item'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - constant c : t_Filter'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (a : t_Filter'0) (ab : Seq.seq t_Item'0) (b : t_Filter'0) (bc : Seq.seq t_Item'0) (c : t_Filter'0) : () + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - goal vc_produces_trans'0 : ([%#sfilter1] produces'0 b bc c) - -> ([%#sfilter0] produces'0 a ab b) -> ([%#sfilter2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_refl [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (* as std::iter::Iterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_Item'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - type t_I'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse3] inv'0 self -> inv'1 (view'0 self)) - && ([%#sfuse4] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + constant x : t_Reverse'0 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + constant y : t_Reverse'0 - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/std/cmp.rs" 132 4 132 31] (x : t_Reverse'0) (y : t_Reverse'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + goal vc_eq_cmp'0 : [%#scmp0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_refl [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (* as std::iter::Iterator> *) + let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 177 14 177 45 + let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 175 4 175 10 + let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) - - = - [%#sfuse2] match view'0 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self - | C_Some'0 i -> match view'0 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end + use seq.Seq - constant self : t_Fuse'0 + use prelude.prelude.Borrow - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () + type t_T'0 - goal vc_produces_refl'0 : [%#sfuse0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_trans [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (* as std::iter::Iterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + use seq.Seq - type t_I'0 + use prelude.prelude.Opaque - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + type t_Iter'1 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - type t_Item'0 + type t_Iter'0 = + { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } + + use prelude.prelude.Slice + + function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 use seq.Seq use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.UIntSize - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + constant v_MAX'0 : usize = (18446744073709551615 : usize) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + use prelude.prelude.UIntSize - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + use prelude.prelude.Int - function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + use prelude.prelude.Slice - axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse5] inv'0 self -> inv'1 (view'0 self)) - && ([%#sfuse6] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice8] view'2 self = Slice.id self) + + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel5] view'2 self use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use seq.Seq - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + = + [%#sindex6] Seq.get (view'2 self) ix - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#sfuse4] match view'0 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self - | C_Some'0 i -> match view'0 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end + [%#sdeque2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant a : t_Fuse'0 + constant self : t_Iter'0 - constant ab : Seq.seq t_Item'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (self : t_Iter'0) : () - constant b : t_Fuse'0 + goal vc_produces_refl'0 : [%#sdeque0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_trans [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (* as std::iter::Iterator> *) + let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 182 15 182 32 + let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 183 15 183 32 + let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 184 14 184 42 + let%span sdeque3 = "../../../creusot-contracts/src/std/deque.rs" 180 4 180 10 + let%span sdeque4 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - constant bc : Seq.seq t_Item'0 + use prelude.prelude.Opaque - constant c : t_Fuse'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () - + type t_Iter'1 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - goal vc_produces_trans'0 : ([%#sfuse1] produces'0 b bc c) - -> ([%#sfuse0] produces'0 a ab b) -> ([%#sfuse2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi7691061398646472980__is_fused [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (* as std::iter::fuse::FusedIterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 63 15 63 31 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 64 15 64 44 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 65 14 65 50 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 61 4 61 10 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 20 12 21 28 - let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 - let%span sfuse7 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 - let%span sfuse8 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 - let%span sfuse9 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 - let%span sfuse10 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 - let%span sfuse11 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 - let%span smodel12 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sfuse13 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse14 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + type t_Iter'0 = + { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } - type t_I'0 + use prelude.prelude.Borrow - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + type t_T'0 - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + use seq.Seq - type t_Item'0 + use prelude.prelude.Slice + + function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 use seq.Seq use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.UIntSize - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + constant v_MAX'0 : usize = (18446744073709551615 : usize) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + use prelude.prelude.UIntSize - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + use prelude.prelude.Int - function view'1 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + use prelude.prelude.Slice - axiom view'1_spec : forall self : t_Fuse'0 . ([%#sfuse13] inv'0 self -> inv'1 (view'1 self)) - && ([%#sfuse14] forall other : t_Fuse'0 . view'1 self = view'1 other -> self = other) + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice10] view'2 self = Slice.id self) + + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel7] view'2 self use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use seq.Seq - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + = + [%#sindex8] Seq.get (view'2 self) ix - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) - -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#sfuse5] match view'1 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'1 other = view'1 self - | C_Some'0 i -> match view'1 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end - - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () - - = - [%#sfuse11] () - - axiom produces_trans'0_spec : forall a : t_Fuse'0, ab : Seq.seq t_Item'0, b : t_Fuse'0, bc : Seq.seq t_Item'0, c : t_Fuse'0 . ([%#sfuse8] produces'0 a ab b) - -> ([%#sfuse9] produces'0 b bc c) -> ([%#sfuse10] produces'0 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () = - [%#sfuse7] () - - axiom produces_refl'0_spec : forall self : t_Fuse'0 . [%#sfuse6] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Borrow - - function view'0 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (t_Fuse'0)) : t_Option'0 = - [%#smodel12] view'1 self.current + [%#sdeque4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + constant a : t_Iter'0 - predicate completed'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 18 4 18 35] (self : borrowed (t_Fuse'0)) = - [%#sfuse4] (view'0 self = C_None'0 - \/ (exists it : borrowed t_I'0 . completed'1 it /\ view'0 self = C_Some'0 (it.current))) - /\ view'1 self.final = C_None'0 + constant ab : Seq.seq t_T'0 - constant self : borrowed (t_Fuse'0) + constant b : t_Iter'0 - constant steps : Seq.seq t_Item'0 + constant bc : Seq.seq t_T'0 - constant next : t_Fuse'0 + constant c : t_Iter'0 - function is_fused'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (self : borrowed (t_Fuse'0)) (steps : Seq.seq t_Item'0) (next : t_Fuse'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - goal vc_is_fused'0 : ([%#sfuse1] produces'0 self.final steps next) - -> ([%#sfuse0] completed'0 self) -> ([%#sfuse2] steps = (Seq.empty : Seq.seq t_Item'0) /\ self.final = next) + goal vc_produces_trans'0 : ([%#sdeque1] produces'0 b bc c) + -> ([%#sdeque0] produces'0 a ab b) -> ([%#sdeque2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_refl [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (* as std::iter::Iterator> *) - let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 80 14 80 45 - let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 78 4 78 10 - let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 - let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 - let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_refl [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (* as std::iter::Iterator> *) + let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 57 14 57 45 + let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 55 4 55 10 + let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 + let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - type t_B'0 + type t_T'0 use seq.Seq type t_I'0 - type t_F'0 + type t_Cloned'0 = + { t_Cloned__it'0: t_I'0 } - type t_Map'0 = - { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + use prelude.prelude.Borrow - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x + axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x = match x with - | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f + | {t_Cloned__it'0 = it} -> inv'1 it end - function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 + function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 - axiom func'0_spec : forall self : t_Map'0 . [%#smap3] inv'0 self -> inv'1 (func'0 self) + axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned3] inv'0 self -> inv'1 (iter'0 self) - type t_Item'0 + use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - use prelude.prelude.Borrow + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) - + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops11] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + use seq.Seq - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + use seq.Seq - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + = + [%#scloned2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) - -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) + constant self : t_Cloned'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (self : t_Cloned'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + goal vc_produces_refl'0 : [%#scloned0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_trans [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (* as std::iter::Iterator> *) + let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 62 15 62 32 + let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 63 15 63 32 + let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 64 14 64 42 + let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 60 4 60 10 + let%span scloned4 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 + let%span scloned5 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - + type t_I'0 - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) - -> ([%#sops6] unnest'0 self res_state) + type t_Cloned'0 = + { t_Cloned__it'0: t_I'0 } - use seq.Seq + type t_T'0 use seq.Seq - use seq.Seq + use prelude.prelude.Borrow use seq.Seq - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) - axiom iter'0_spec : forall self : t_Map'0 . [%#smap4] inv'0 self -> inv'2 (iter'0 self) + axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x + = match x with + | {t_Cloned__it'0 = it} -> inv'1 it + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned5] inv'0 self -> inv'1 (iter'0 self) use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) - -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use prelude.prelude.Int + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self use seq.Seq use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + use prelude.prelude.Int use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) = - [%#smap2] unnest'0 (func'0 self) (func'0 succ) - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited - /\ produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - func'0 self = func'0 succ - else - (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 (func'0 self) (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) + [%#scloned4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - constant self : t_Map'0 + use seq.Seq - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (self : t_Map'0) : () + constant a : t_Cloned'0 - goal vc_produces_refl'0 : [%#smap0] produces'0 self (Seq.empty : Seq.seq t_B'0) self -end -module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_trans [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (* as std::iter::Iterator> *) - let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 85 15 85 32 - let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 86 15 86 32 - let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 87 14 87 42 - let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 83 4 83 10 - let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 - let%span smap5 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 - let%span smap6 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + constant ab : Seq.seq t_T'0 - type t_I'0 + constant b : t_Cloned'0 - type t_F'0 + constant bc : Seq.seq t_T'0 - type t_Map'0 = - { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + constant c : t_Cloned'0 - type t_B'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (a : t_Cloned'0) (ab : Seq.seq t_T'0) (b : t_Cloned'0) (bc : Seq.seq t_T'0) (c : t_Cloned'0) : () + + + goal vc_produces_trans'0 : ([%#scloned1] produces'0 b bc c) + -> ([%#scloned0] produces'0 a ab b) -> ([%#scloned2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_refl [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (* as std::iter::Iterator> *) + let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 + let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 55 4 55 10 + let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_T'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + type t_I'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x + type t_Copied'0 = + { t_Copied__it'0: t_I'0 } + + use prelude.prelude.Borrow + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x = match x with - | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f + | {t_Copied__it'0 = it} -> inv'1 it end - function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 + function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 - axiom func'0_spec : forall self : t_Map'0 . [%#smap5] inv'0 self -> inv'1 (func'0 self) + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied3] inv'0 self -> inv'1 (iter'0 self) - type t_Item'0 + use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - use prelude.prelude.Borrow + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) - + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops13] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + use seq.Seq - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + use seq.Seq - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + = + [%#scopied2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops10] unnest'0 self b) - -> ([%#sops11] unnest'0 b c) -> ([%#sops12] unnest'0 self c) + constant self : t_Copied'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (self : t_Copied'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops9] unnest'0 self self + goal vc_produces_refl'0 : [%#scopied0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_trans [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (* as std::iter::Iterator> *) + let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 + let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 + let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 + let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 60 4 60 10 + let%span scopied4 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span scopied5 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - + type t_I'0 - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops7] postcondition_mut'0 self args res_state res) - -> ([%#sops8] unnest'0 self res_state) + type t_Copied'0 = + { t_Copied__it'0: t_I'0 } - use seq.Seq + type t_T'0 use seq.Seq - use seq.Seq + use prelude.prelude.Borrow use seq.Seq - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) - axiom iter'0_spec : forall self : t_Map'0 . [%#smap6] inv'0 self -> inv'2 (iter'0 self) + axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x + = match x with + | {t_Copied__it'0 = it} -> inv'1 it + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'0 self -> inv'1 (iter'0 self) use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter15] produces'1 a ab b) - -> ([%#siter16] produces'1 b bc c) -> ([%#siter17] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter14] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Int + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self use seq.Seq use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + use prelude.prelude.Int use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) = - [%#smap4] unnest'0 (func'0 self) (func'0 succ) - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited - /\ produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - func'0 self = func'0 succ - else - (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 (func'0 self) (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) + [%#scopied4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) use seq.Seq - constant a : t_Map'0 + constant a : t_Copied'0 - constant ab : Seq.seq t_B'0 + constant ab : Seq.seq t_T'0 - constant b : t_Map'0 + constant b : t_Copied'0 - constant bc : Seq.seq t_B'0 + constant bc : Seq.seq t_T'0 - constant c : t_Map'0 + constant c : t_Copied'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (a : t_Map'0) (ab : Seq.seq t_B'0) (b : t_Map'0) (bc : Seq.seq t_B'0) (c : t_Map'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () - goal vc_produces_trans'0 : ([%#smap1] produces'0 b bc c) - -> ([%#smap0] produces'0 a ab b) -> ([%#smap2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#scopied1] produces'0 b bc c) + -> ([%#scopied0] produces'0 a ab b) -> ([%#scopied2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_refl [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_refl [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (* as std::iter::Iterator> *) + let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 18 14 18 45 + let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 16 4 16 10 + let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 use seq.Seq - type t_B'0 + type t_T'0 use seq.Seq - type t_I'0 - - type t_F'0 + type t_Empty'0 = + { t_Empty__0'0: () } - type t_Item'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + + = + [%#sempty2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - use seq.Seq + constant self : t_Empty'0 - use prelude.prelude.Snapshot + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (self : t_Empty'0) : () - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + goal vc_produces_refl'0 : [%#sempty0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_trans [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (* as std::iter::Iterator> *) + let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 23 15 23 32 + let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 24 15 24 32 + let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 25 14 25 42 + let%span sempty3 = "../../../creusot-contracts/src/std/iter/empty.rs" 21 4 21 10 + let%span sempty4 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + type t_Empty'0 = + { t_Empty__0'0: () } - use prelude.prelude.Borrow + type t_T'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + = + [%#sempty4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + use seq.Seq - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant a : t_Empty'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + constant ab : Seq.seq t_T'0 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) - -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) + constant b : t_Empty'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + constant bc : Seq.seq t_T'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self + constant c : t_Empty'0 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (a : t_Empty'0) (ab : Seq.seq t_T'0) (b : t_Empty'0) (bc : Seq.seq t_T'0) (c : t_Empty'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) - -> ([%#sops4] unnest'0 self res_state) + goal vc_produces_trans'0 : ([%#sempty1] produces'0 b bc c) + -> ([%#sempty0] produces'0 a ab b) -> ([%#sempty2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_refl [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (* as std::iter::Iterator> *) + let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 82 14 82 45 + let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 80 4 80 10 + let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 + let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span senumerate8 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 use seq.Seq - use seq.Seq + use prelude.prelude.UIntSize - use seq.Seq + type t_Item'0 use seq.Seq - use seq.Seq + type t_I'0 + + type t_Enumerate'0 = + { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - - - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - - - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'1 a ab b) - -> ([%#siter12] produces'1 b bc c) -> ([%#siter13] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter10] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Snapshot - - use prelude.prelude.Snapshot - use prelude.prelude.Int - use seq.Seq + function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int use seq.Seq use seq.Seq - use prelude.prelude.Snapshot + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - use seq.Seq - - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - = - [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - constant self : t_MapInv'0 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - goal vc_produces_refl'0 : [%#smap_inv0] produces'0 self (Seq.empty : Seq.seq t_B'0) self -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_trans [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - type t_I'0 + use seq.Seq - type t_F'0 + constant v_MAX'0 : usize = (18446744073709551615 : usize) - type t_Item'0 + use prelude.prelude.UIntSize - use seq.Seq + use prelude.prelude.Borrow - use prelude.prelude.Snapshot + predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - type t_B'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - use seq.Seq + function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate3] inv'0 self -> inv'1 (iter'0 self) - use prelude.prelude.Borrow + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = + [%#senumerate8] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i + -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) + /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter + end) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () - + use seq.Seq - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops11] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + + = + [%#senumerate2] Seq.length visited = n'0 o - n'0 self + /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i + /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant self : t_Enumerate'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (self : t_Enumerate'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) - -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) + goal vc_produces_refl'0 : [%#senumerate0] produces'0 self (Seq.empty : Seq.seq (usize, t_Item'0)) self +end +module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_trans [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (* as std::iter::Iterator> *) + let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 87 15 87 32 + let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 88 15 88 32 + let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 89 14 89 42 + let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 85 4 85 10 + let%span senumerate4 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 + let%span senumerate5 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span senumerate10 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_I'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + use prelude.prelude.UIntSize - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + type t_Enumerate'0 = + { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) - -> ([%#sops6] unnest'0 self res_state) + type t_Item'0 use seq.Seq use seq.Seq - use seq.Seq + use prelude.prelude.Int + + function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int use seq.Seq @@ -2901,743 +3630,717 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__pr function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) - -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - use prelude.prelude.Snapshot + use seq.Seq - use prelude.prelude.Snapshot + constant v_MAX'0 : usize = (18446744073709551615 : usize) - use prelude.prelude.Int + use prelude.prelude.UIntSize - use seq.Seq + use prelude.prelude.Borrow - use seq.Seq + predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use prelude.prelude.Snapshot + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate5] inv'0 self -> inv'1 (iter'0 self) + + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = + [%#senumerate10] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i + -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) + /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter + end) use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) = - [%#smap_inv4] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + [%#senumerate4] Seq.length visited = n'0 o - n'0 self + /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i + /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) use seq.Seq - constant a : t_MapInv'0 + constant a : t_Enumerate'0 - constant ab : Seq.seq t_B'0 + constant ab : Seq.seq (usize, t_Item'0) - constant b : t_MapInv'0 + constant b : t_Enumerate'0 - constant bc : Seq.seq t_B'0 + constant bc : Seq.seq (usize, t_Item'0) - constant c : t_MapInv'0 + constant c : t_Enumerate'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (a : t_Enumerate'0) (ab : Seq.seq (usize, t_Item'0)) (b : t_Enumerate'0) (bc : Seq.seq (usize, t_Item'0)) (c : t_Enumerate'0) : () - goal vc_produces_trans'0 : ([%#smap_inv1] produces'0 b bc c) - -> ([%#smap_inv0] produces'0 a ab b) -> ([%#smap_inv2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#senumerate1] produces'0 b bc c) + -> ([%#senumerate0] produces'0 a ab b) -> ([%#senumerate2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi5691635635396426195__resolve_coherence [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (* as resolve::Resolve> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 62 15 62 39 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 63 14 63 31 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 60 4 60 23 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 57 8 57 50 +module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_refl [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (* as std::iter::Iterator> *) + let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 105 14 105 45 + let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 103 4 103 10 + let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 + let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 + let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 + let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - use prelude.prelude.Borrow + use seq.Seq - type t_I'0 - - type t_F'0 - - type t_B'0 + type t_Item'0 use seq.Seq - use prelude.prelude.Snapshot + type t_I'0 - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_B'0) } + type t_F'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : Snapshot.snap_ty (Seq.seq t_B'0)) - = - true + type t_Filter'0 = + { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.Borrow - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_I'0) + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_MapInv'0) = - match _1 with - | {t_MapInv__iter'0 = x0 ; t_MapInv__func'0 = x1 ; t_MapInv__produced'0 = x2} -> resolve'1 x2 - /\ resolve'2 x1 /\ resolve'3 x0 - end + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) + - predicate resolve'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 28] (self : t_MapInv'0) = - [%#smap_inv3] resolve'3 self.t_MapInv__iter'0 /\ resolve'2 self.t_MapInv__func'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - constant self : t_MapInv'0 + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) + - function resolve_coherence'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (self : t_MapInv'0) : () + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () - goal vc_resolve_coherence'0 : ([%#smap_inv0] structural_resolve'0 self) -> ([%#smap_inv1] resolve'0 self) -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4413682431414748756__next [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 90 4 90 44] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 91 39 91 58 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 94 16 94 76 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 95 31 95 71 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 99 38 99 88 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 100 32 100 63 - let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 105 32 105 56 - let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 17 90 21 - let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 26 90 44 - let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 86 14 89 5 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 103 26 106 17 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 162 27 162 52 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 163 26 163 71 - let%span smap_inv12 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 163 15 163 31 - let%span smap_inv13 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 164 4 164 60 - let%span smap_inv14 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 165 15 165 30 - let%span smap_inv15 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 166 15 166 64 - let%span smap_inv16 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 167 14 167 74 - let%span smap_inv17 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 168 14 168 75 - let%span smap_inv18 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 - let%span smap_inv19 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 - let%span smap_inv20 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9 - let%span smap_inv21 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 74 12 76 73 - let%span smap_inv22 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 - let%span smap_inv23 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 - let%span smap_inv24 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 117 12 119 63 - let%span smap_inv25 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sresolve26 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span smap_inv27 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv28 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv29 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv30 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv31 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv32 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span siter33 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter34 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter35 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter36 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span sops37 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops38 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops39 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops40 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops41 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops42 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops43 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span smap_inv44 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 153 12 156 47 - let%span smap_inv45 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 - let%span sinvariant46 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops12] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - use prelude.prelude.Borrow + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - use prelude.prelude.Snapshot + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - type t_I'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops9] unnest'0 self b) + -> ([%#sops10] unnest'0 b c) -> ([%#sops11] unnest'0 self c) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - type t_F'0 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops8] unnest'0 self self - type t_Item'0 + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + - use seq.Seq + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops6] postcondition_mut'0 self args res_state res) + -> ([%#sops7] unnest'0 self res_state) - use prelude.prelude.Snapshot + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = + [%#sfilter3] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) + /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) + /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true + /\ postcondition_mut'0 f1 (i) f2 false)) - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_I'0) = - [%#sinvariant46] inv'0 self.current /\ inv'0 self.final + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_I'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) - axiom inv_axiom'2 [@rewrite] : forall x : borrowed t_I'0 [inv'4 x] . inv'4 x = invariant'2 x + axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' + end) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_Item'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 - predicate inv'9 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Item'0) + axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter4] inv'0 self -> inv'1 (func'0 self) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Int - axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'5 x] . inv'5 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'9 a_0 - end + use map.Map - use seq.Seq + function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter5] inv'0 self -> inv'2 (iter'0 self) use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter34] produces'0 a ab b) - -> ([%#siter35] produces'0 b bc c) -> ([%#siter36] produces'0 a (Seq.(++) ab bc) c) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter14] produces'1 a ab b) + -> ([%#siter15] produces'1 b bc c) -> ([%#siter16] produces'1 a (Seq.(++) ab bc) c) function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter33] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - - predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter13] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use seq.Seq - let rec next'1 (self:borrowed t_I'0) (return' (ret:t_Option'0))= {[@expl:next 'self' type invariant] inv'4 self} - any - [ return' (result:t_Option'0)-> {inv'5 result} - {[%#siter9] match result with - | C_None'0 -> completed'1 self - | C_Some'0 v -> produces'0 self.current (Seq.singleton v) self.final - end} - (! return' {result}) ] - + use map.Map - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Item'0))= any - [ good (field_0:t_Item'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Item'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) + = + [%#sfilter2] invariant'0 self + -> unnest'0 (func'0 self) (func'0 succ) + /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited + -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) + = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - use prelude.prelude.Snapshot - - use seq.Seq + constant self : t_Filter'0 - use prelude.prelude.Snapshot + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (self : t_Filter'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + goal vc_produces_refl'0 : [%#sfilter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_trans [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (* as std::iter::Iterator> *) + let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 110 15 110 32 + let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 111 15 111 32 + let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 112 14 112 42 + let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 108 4 108 10 + let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 + let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 + let%span sfilter6 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 + let%span sfilter7 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_F'0) = - [%#sinvariant46] inv'1 self.current /\ inv'1 self.final + type t_I'0 - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_F'0) + type t_F'0 - axiom inv_axiom'4 [@rewrite] : forall x : borrowed t_F'0 [inv'6 x] . inv'6 x = invariant'3 x + type t_Filter'0 = + { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } - predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + type t_Item'0 - axiom inv_axiom'5 [@rewrite] : forall x : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) [inv'7 x] . inv'7 x - = (let (x0, x1) = x in inv'9 x0) + use seq.Seq - type t_B'0 + use prelude.prelude.Borrow - predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops43] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'2 res_state) + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops14] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops40] unnest'0 self b) - -> ([%#sops41] unnest'0 b c) -> ([%#sops42] unnest'0 self c) + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops11] unnest'0 self b) + -> ([%#sops12] unnest'0 b c) -> ([%#sops13] unnest'0 self c) function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops39] unnest'0 self self + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops10] unnest'0 self self - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops37] postcondition_mut'0 self args res_state res) - -> ([%#sops38] unnest'0 self res_state) + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops8] postcondition_mut'0 self args res_state res) + -> ([%#sops9] unnest'0 self res_state) - let rec call_mut'0 (self:borrowed t_F'0) (args:(t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (return' (ret:t_B'0))= {[@expl:call_mut 'self' type invariant] inv'6 self} - {[@expl:call_mut 'args' type invariant] inv'7 args} - {[@expl:call_mut requires] [%#sops10] precondition'0 self.current args} - any - [ return' (result:t_B'0)-> {inv'8 result} - {[%#sops11] postcondition_mut'0 self.current args self.final result} - (! return' {result}) ] - + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = + [%#sfilter5] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) + /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) + /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true + /\ postcondition_mut'0 f1 (i) f2 false)) - predicate next_precondition'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 115 4 115 78] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - - = - [%#smap_inv24] forall e : t_Item'0, i : t_I'0 . produces'0 iter (Seq.singleton e) i - -> precondition'0 func (e, Snapshot.new produced) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) - - = - [%#smap_inv45] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new s) - -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - predicate reinitialize'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 151 4 151 33] (_1 : ()) = - [%#smap_inv44] forall iter : borrowed t_I'0, func : t_F'0 . completed'1 iter - -> next_precondition'0 iter.final func (Seq.empty : Seq.seq t_Item'0) /\ preservation'0 iter.final func + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) - predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - - = - [%#smap_inv23] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) - -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' + end) - axiom preservation_inv'0_spec : forall iter : t_I'0, func : t_F'0, produced : Seq.seq t_Item'0 . [%#smap_inv22] produced - = (Seq.empty : Seq.seq t_Item'0) -> preservation_inv'0 iter func produced = preservation'0 iter func + function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 72 4 72 30] (self : t_MapInv'0) = - [%#smap_inv21] reinitialize'0 () - /\ preservation_inv'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) - /\ next_precondition'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) + axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter6] inv'0 self -> inv'1 (func'0 self) - function produces_one_invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 169 4 169 73] (self : t_MapInv'0) (e : t_Item'0) (r : t_B'0) (f : borrowed t_F'0) (iter : t_I'0) : () - + use prelude.prelude.Int - axiom produces_one_invariant'0_spec : forall self : t_MapInv'0, e : t_Item'0, r : t_B'0, f : borrowed t_F'0, iter : t_I'0 . ([%#smap_inv12] invariant'0 self) - -> ([%#smap_inv13] produces'0 self.t_MapInv__iter'0 (Seq.singleton e) iter) - -> ([%#smap_inv14] f.current = self.t_MapInv__func'0) - -> ([%#smap_inv15] postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final r) - -> ([%#smap_inv16] preservation_inv'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) - && ([%#smap_inv17] next_precondition'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) + use map.Map - use prelude.prelude.Snapshot + function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 - use prelude.prelude.Snapshot + axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter7] inv'0 self -> inv'2 (iter'0 self) use seq.Seq use seq.Seq - use seq.Seq + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use seq.Seq + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) + -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) - use seq.Seq + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use seq.Seq + use map.Map + use seq.Seq - use prelude.prelude.Snapshot + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) + + = + [%#sfilter4] invariant'0 self + -> unnest'0 (func'0 self) (func'0 succ) + /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited + -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) + = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - use prelude.prelude.Int + constant a : t_Filter'0 - use seq.Seq + constant ab : Seq.seq t_Item'0 + + constant b : t_Filter'0 + + constant bc : Seq.seq t_Item'0 + + constant c : t_Filter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (a : t_Filter'0) (ab : Seq.seq t_Item'0) (b : t_Filter'0) (bc : Seq.seq t_Item'0) (c : t_Filter'0) : () + + + goal vc_produces_trans'0 : ([%#sfilter1] produces'0 b bc c) + -> ([%#sfilter0] produces'0 a ab b) -> ([%#sfilter2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_refl [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (* as std::iter::Iterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq + type t_Item'0 + use seq.Seq + type t_I'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 + + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end + + function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + + axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse3] inv'0 self -> inv'1 (view'0 self)) + && ([%#sfuse4] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + use seq.Seq - predicate produces'1 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - = - [%#smap_inv25] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'0 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - = - [%#smap_inv32] () - axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv29] produces'1 a ab b) - -> ([%#smap_inv30] produces'1 b bc c) -> ([%#smap_inv31] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = - [%#smap_inv28] () + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv27] produces'1 self (Seq.empty : Seq.seq t_B'0) self + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) = - [%#smap_inv19] exists f : borrowed t_F'0, e : t_Item'0 . f.current = self.t_MapInv__func'0 - /\ f.final = succ.t_MapInv__func'0 - /\ produces'0 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e - /\ precondition'0 f.current (e, self.t_MapInv__produced'0) - /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited - - axiom produces_one'0_spec : forall self : t_MapInv'0, visited : t_B'0, succ : t_MapInv'0 . [%#smap_inv18] produces_one'0 self visited succ - = produces'1 self (Seq.singleton visited) succ - - predicate inv'10 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_MapInv'0) + [%#sfuse2] match view'0 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self + | C_Some'0 i -> match view'0 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - axiom inv_axiom'6 [@rewrite] : forall x : t_MapInv'0 [inv'10 x] . inv'10 x - = (invariant'0 x - /\ match x with - | {t_MapInv__iter'0 = iter ; t_MapInv__func'0 = func ; t_MapInv__produced'0 = produced} -> inv'0 iter /\ inv'1 func - end) + constant self : t_Fuse'0 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_MapInv'0)) = - [%#sinvariant46] inv'10 self.current /\ inv'10 self.final + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_MapInv'0)) + goal vc_produces_refl'0 : [%#sfuse0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_trans [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (* as std::iter::Iterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_MapInv'0) [inv'2 x] . inv'2 x = invariant'1 x + type t_I'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_MapInv'0)) = - [%#sresolve26] self.final = self.current + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_MapInv'0)) = - resolve'1 _1 + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - type t_Option'1 = - | C_None'1 - | C_Some'1 t_B'0 + type t_Item'0 - use prelude.prelude.Intrinsic + use seq.Seq - use prelude.prelude.Snapshot + use seq.Seq - use prelude.prelude.Snapshot + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'1 [inv'3 x] . inv'3 x + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'8 a_0 + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 end - predicate completed'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 14 4 14 35] (self : borrowed (t_MapInv'0)) - - = - [%#smap_inv20] Snapshot.inner (self.final).t_MapInv__produced'0 = (Seq.empty : Seq.seq t_Item'0) - /\ completed'1 (Borrow.borrow_logic (self.current).t_MapInv__iter'0 (self.final).t_MapInv__iter'0 (Borrow.inherit_id (Borrow.get_id self) 1)) - /\ (self.current).t_MapInv__func'0 = (self.final).t_MapInv__func'0 - - meta "compute_max_steps" 1000000 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - let rec next'0 (self:borrowed (t_MapInv'0)) (return' (ret:t_Option'1))= {[@expl:next 'self' type invariant] [%#smap_inv6] inv'2 self} - (! bb0 - [ bb0 = s0 [ s0 = [ &old_self <- [%#smap_inv0] Snapshot.new self.current ] s1 | s1 = bb1 ] - | bb1 = s0 - [ s0 = {inv'0 (self.current).t_MapInv__iter'0} - Borrow.borrow_final {(self.current).t_MapInv__iter'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_I'0) -> - [ &_6 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { self.current with t_MapInv__iter'0 = _ret'.final } } ] - s1) - | s1 = next'1 {_6} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s2) - | s2 = bb2 ] - - | bb2 = any [ br0 -> {_5 = C_None'0 } (! bb5) | br1 (x0:t_Item'0)-> {_5 = C_Some'0 x0} (! bb4) ] - | bb4 = bb6 - | bb6 = s0 - [ s0 = v_Some'0 {_5} (fun (r0'0:t_Item'0) -> [ &v <- r0'0 ] s1) - | s1 = {[@expl:assertion] [%#smap_inv1] precondition'0 (self.current).t_MapInv__func'0 (v, (self.current).t_MapInv__produced'0)} - s2 - | s2 = bb7 ] - - | bb7 = s0 - [ s0 = - [ &produced <- [%#smap_inv2] Snapshot.new (Seq.snoc (Snapshot.inner (self.current).t_MapInv__produced'0) v) ] - - s1 - | s1 = bb8 ] - - | bb8 = s0 - [ s0 = {inv'1 (self.current).t_MapInv__func'0} - Borrow.borrow_final {(self.current).t_MapInv__func'0} {Borrow.inherit_id (Borrow.get_id self) 2} - (fun (_ret':borrowed t_F'0) -> - [ &_14 <- _ret' ] - -{inv'1 _ret'.final}- - [ &self <- { self with current = { self.current with t_MapInv__func'0 = _ret'.final } } ] - s1) - | s1 = [ &_15 <- (v, (self.current).t_MapInv__produced'0) ] s2 - | s2 = call_mut'0 {_14} {_15} (fun (_ret':t_B'0) -> [ &r <- _ret' ] s3) - | s3 = bb9 ] - - | bb9 = bb10 - | bb10 = s0 - [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = produced } } ] s1 - | s1 = [ &_19 <- [%#smap_inv3] Snapshot.new (let _ = () in ()) ] s2 - | s2 = bb11 ] - - | bb11 = s0 - [ s0 = {[@expl:assertion] [%#smap_inv4] produces_one'0 (Snapshot.inner old_self) r self.current} s1 | s1 = bb12 ] - - | bb12 = s0 - [ s0 = {[@expl:type invariant] inv'2 self} s1 - | s1 = -{resolve'0 self}- s2 - | s2 = [ &_0 <- C_Some'1 r ] s3 - | s3 = bb13 ] - - | bb13 = bb14 - | bb14 = bb15 - | bb15 = bb17 - | bb5 = s0 [ s0 = [ &_24 <- [%#smap_inv5] Snapshot.new (Seq.empty : Seq.seq t_Item'0) ] s1 | s1 = bb16 ] - | bb16 = s0 - [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = _24 } } ] s1 - | s1 = {[@expl:type invariant] inv'2 self} s2 - | s2 = -{resolve'0 self}- s3 - | s3 = [ &_0 <- C_None'1 ] s4 - | s4 = bb17 ] - - | bb17 = bb18 - | bb18 = return' {_0} ] - ) - [ & _0 : t_Option'1 = any_l () - | & self : borrowed (t_MapInv'0) = self - | & old_self : Snapshot.snap_ty (t_MapInv'0) = any_l () - | & _5 : t_Option'0 = any_l () - | & _6 : borrowed t_I'0 = any_l () - | & v : t_Item'0 = any_l () - | & produced : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () - | & r : t_B'0 = any_l () - | & _14 : borrowed t_F'0 = any_l () - | & _15 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) = any_l () - | & _19 : Snapshot.snap_ty () = any_l () - | & _24 : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () ] - - [ return' (result:t_Option'1)-> {[@expl:next result type invariant] [%#smap_inv7] inv'3 result} - {[@expl:next ensures] [%#smap_inv8] match result with - | C_None'1 -> completed'0 self - | C_Some'1 v -> produces_one'0 self.current v self.final - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__preservation_inv [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (* std::iter::map_inv::MapInv::Item, F> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 - let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end - use seq.Seq + function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 - type t_Item'0 + axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse5] inv'0 self -> inv'1 (view'0 self)) + && ([%#sfuse6] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) use seq.Seq - type t_I'0 + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - type t_F'0 + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use prelude.prelude.Borrow + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) - type t_B'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use prelude.prelude.Snapshot + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + = + [%#sfuse4] match view'0 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self + | C_Some'0 i -> match view'0 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + constant a : t_Fuse'0 - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + constant ab : Seq.seq t_Item'0 - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () - + constant b : t_Fuse'0 - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + constant bc : Seq.seq t_Item'0 - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant c : t_Fuse'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) - -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) + goal vc_produces_trans'0 : ([%#sfuse1] produces'0 b bc c) + -> ([%#sfuse0] produces'0 a ab b) -> ([%#sfuse2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi7691061398646472980__is_fused [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (* as std::iter::fuse::FusedIterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 63 15 63 31 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 64 15 64 44 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 65 14 65 50 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 61 4 61 10 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 20 12 21 28 + let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 + let%span sfuse7 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 + let%span sfuse8 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 + let%span sfuse9 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 + let%span sfuse10 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 + let%span sfuse11 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 + let%span smodel12 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfuse13 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse14 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_I'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) - -> ([%#sops4] unnest'0 self res_state) + type t_Item'0 use seq.Seq use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'0 a ab b) - -> ([%#siter12] produces'0 b bc c) -> ([%#siter13] produces'0 a (Seq.(++) ab bc) c) + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter10] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end - use prelude.prelude.Snapshot + function view'1 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + axiom view'1_spec : forall self : t_Fuse'0 . ([%#sfuse13] inv'0 self -> inv'1 (view'1 self)) + && ([%#sfuse14] forall other : t_Fuse'0 . view'1 self = view'1 other -> self = other) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - = - [%#smap_inv2] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new s) - -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - constant iter : t_I'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) + -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) - constant func : t_F'0 + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - constant produced : Seq.seq t_Item'0 + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + = + [%#sfuse5] match view'1 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'1 other = view'1 self + | C_Some'0 i -> match view'1 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - goal vc_preservation_inv'0 : [%#smap_inv0] produced = (Seq.empty : Seq.seq t_Item'0) - -> ([%#smap_inv1] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) - -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) - = preservation'0 iter func + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () + + = + [%#sfuse11] () + + axiom produces_trans'0_spec : forall a : t_Fuse'0, ab : Seq.seq t_Item'0, b : t_Fuse'0, bc : Seq.seq t_Item'0, c : t_Fuse'0 . ([%#sfuse8] produces'0 a ab b) + -> ([%#sfuse9] produces'0 b bc c) -> ([%#sfuse10] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () = + [%#sfuse7] () + + axiom produces_refl'0_spec : forall self : t_Fuse'0 . [%#sfuse6] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + + use prelude.prelude.Borrow + + function view'0 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (t_Fuse'0)) : t_Option'0 = + [%#smodel12] view'1 self.current + + predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + + predicate completed'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 18 4 18 35] (self : borrowed (t_Fuse'0)) = + [%#sfuse4] (view'0 self = C_None'0 + \/ (exists it : borrowed t_I'0 . completed'1 it /\ view'0 self = C_Some'0 (it.current))) + /\ view'1 self.final = C_None'0 + + constant self : borrowed (t_Fuse'0) + + constant steps : Seq.seq t_Item'0 + + constant next : t_Fuse'0 + + function is_fused'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (self : borrowed (t_Fuse'0)) (steps : Seq.seq t_Item'0) (next : t_Fuse'0) : () + + + goal vc_is_fused'0 : ([%#sfuse1] produces'0 self.final steps next) + -> ([%#sfuse0] completed'0 self) -> ([%#sfuse2] steps = (Seq.empty : Seq.seq t_Item'0) /\ self.final = next) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__produces_one [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (* std::iter::map_inv::MapInv::Item, F> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops15 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops16 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops17 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops18 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops19 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 +module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_refl [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (* as std::iter::Iterator> *) + let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 80 14 80 45 + let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 78 4 78 10 + let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 + let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 + let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq + type t_B'0 + use seq.Seq type t_I'0 type t_F'0 - type t_Item'0 + type t_Map'0 = + { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } - use seq.Seq + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use prelude.prelude.Snapshot + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) - type t_B'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x + = match x with + | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f + end - use seq.Seq + function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 - use seq.Seq + axiom func'0_spec : forall self : t_Map'0 . [%#smap3] inv'0 self -> inv'1 (func'0 self) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + type t_Item'0 + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) use prelude.prelude.Borrow predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops19] postcondition_once'0 self args res + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops11] postcondition_once'0 self args res = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) @@ -3645,18 +4348,20 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops16] unnest'0 self b) - -> ([%#sops17] unnest'0 b c) -> ([%#sops18] unnest'0 self c) + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) + -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops15] unnest'0 self self + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops13] postcondition_mut'0 self args res_state res) - -> ([%#sops14] unnest'0 self res_state) + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) + -> ([%#sops6] unnest'0 self res_state) + + use seq.Seq use seq.Seq @@ -3666,6 +4371,10 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr use seq.Seq + function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Map'0 . [%#smap4] inv'0 self -> inv'2 (iter'0 self) + use seq.Seq use seq.Seq @@ -3673,19 +4382,15 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter10] produces'1 a ab b) - -> ([%#siter11] produces'1 b bc c) -> ([%#siter12] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) + -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter9] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Snapshot - - use prelude.prelude.Snapshot + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use prelude.prelude.Int @@ -3693,461 +4398,429 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr use seq.Seq - use seq.Seq - - use prelude.prelude.Snapshot - - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) = - [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + [%#smap2] unnest'0 (func'0 self) (func'0 succ) /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited + /\ produces'1 (iter'0 self) s (iter'0 succ) /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 + func'0 self = func'0 succ else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + -> unnest'0 (func'0 self) (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () - - = - [%#smap_inv8] () + constant self : t_Map'0 - axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv5] produces'0 a ab b) - -> ([%#smap_inv6] produces'0 b bc c) -> ([%#smap_inv7] produces'0 a (Seq.(++) ab bc) c) + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (self : t_Map'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = - [%#smap_inv4] () + goal vc_produces_refl'0 : [%#smap0] produces'0 self (Seq.empty : Seq.seq t_B'0) self +end +module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_trans [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (* as std::iter::Iterator> *) + let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 85 15 85 32 + let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 86 15 86 32 + let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 87 14 87 42 + let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 83 4 83 10 + let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 + let%span smap5 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 + let%span smap6 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv3] produces'0 self (Seq.empty : Seq.seq t_B'0) self + type t_I'0 - use seq.Seq + type t_F'0 - use seq.Seq + type t_Map'0 = + { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } - constant self : t_MapInv'0 + type t_B'0 - constant visited : t_B'0 + use seq.Seq - constant succ : t_MapInv'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - goal vc_produces_one'0 : [%#smap_inv0] ([%#smap_inv1] exists f : borrowed t_F'0, e : t_Item'0 . f.current - = self.t_MapInv__func'0 - /\ f.final = succ.t_MapInv__func'0 - /\ produces'1 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e - /\ precondition'0 f.current (e, self.t_MapInv__produced'0) - /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited) - = produces'0 self (Seq.singleton visited) succ -end -module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_refl [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (* as std::iter::Iterator> *) - let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 31 14 31 45 - let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 29 4 29 10 - let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x + = match x with + | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f + end - type t_T'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 - use seq.Seq + axiom func'0_spec : forall self : t_Map'0 . [%#smap5] inv'0 self -> inv'1 (func'0 self) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_Item'0 - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) + - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + use prelude.prelude.Borrow - type t_Once'0 = - { t_Once__inner'0: t_IntoIter'0 } + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) + - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () + - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) - - = - [%#sonce2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - - constant self : t_Once'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops13] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (self : t_Once'0) : () + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - goal vc_produces_refl'0 : [%#sonce0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_trans [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (* as std::iter::Iterator> *) - let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 36 15 36 32 - let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 37 15 37 32 - let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 38 14 38 42 - let%span sonce3 = "../../../creusot-contracts/src/std/iter/once.rs" 34 4 34 10 - let%span sonce4 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - type t_T'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops10] unnest'0 self b) + -> ([%#sops11] unnest'0 b c) -> ([%#sops12] unnest'0 self c) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops9] unnest'0 self self - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () + - type t_Once'0 = - { t_Once__inner'0: t_IntoIter'0 } + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops7] postcondition_mut'0 self args res_state res) + -> ([%#sops8] unnest'0 self res_state) use seq.Seq use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) - - = - [%#sonce4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - use seq.Seq - constant a : t_Once'0 + use seq.Seq - constant ab : Seq.seq t_T'0 + function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 - constant b : t_Once'0 + axiom iter'0_spec : forall self : t_Map'0 . [%#smap6] inv'0 self -> inv'2 (iter'0 self) - constant bc : Seq.seq t_T'0 + use seq.Seq - constant c : t_Once'0 + use seq.Seq - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (a : t_Once'0) (ab : Seq.seq t_T'0) (b : t_Once'0) (bc : Seq.seq t_T'0) (c : t_Once'0) : () + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - goal vc_produces_trans'0 : ([%#sonce1] produces'0 b bc c) - -> ([%#sonce0] produces'0 a ab b) -> ([%#sonce2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 30 4 30 10 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - type t_Idx'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter15] produces'1 a ab b) + -> ([%#siter16] produces'1 b bc c) -> ([%#siter17] produces'1 a (Seq.(++) ab bc) c) - use seq.Seq + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - type t_Range'0 = - { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter14] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use prelude.prelude.Int - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + use seq.Seq use seq.Seq + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) = - [%#srange2] self.t_Range__end'0 = o.t_Range__end'0 - /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 - /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) - /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + [%#smap4] unnest'0 (func'0 self) (func'0 succ) + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited + /\ produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + func'0 self = func'0 succ + else + (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - - constant self : t_Range'0 + -> unnest'0 (func'0 self) (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (self : t_Range'0) : () + use seq.Seq - goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 35 4 35 10 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 + constant a : t_Map'0 - type t_Idx'0 + constant ab : Seq.seq t_B'0 - type t_Range'0 = - { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } + constant b : t_Map'0 - use seq.Seq + constant bc : Seq.seq t_B'0 - use prelude.prelude.Int + constant c : t_Map'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (a : t_Map'0) (ab : Seq.seq t_B'0) (b : t_Map'0) (bc : Seq.seq t_B'0) (c : t_Map'0) : () + - use seq.Seq + goal vc_produces_trans'0 : ([%#smap1] produces'0 b bc c) + -> ([%#smap0] produces'0 a ab b) -> ([%#smap2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_refl [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) - - = - [%#srange4] self.t_Range__end'0 = o.t_Range__end'0 - /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 - /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) - /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) + type t_B'0 use seq.Seq - constant a : t_Range'0 + type t_I'0 - constant ab : Seq.seq t_Idx'0 + type t_F'0 - constant b : t_Range'0 + type t_Item'0 - constant bc : Seq.seq t_Idx'0 + use seq.Seq - constant c : t_Range'0 + use prelude.prelude.Snapshot - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (a : t_Range'0) (ab : Seq.seq t_Idx'0) (b : t_Range'0) (bc : Seq.seq t_Idx'0) (c : t_Range'0) : () + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) - -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__range__range_inclusive_len [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span sops1 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + use prelude.prelude.Borrow - type t_Idx'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - use prelude.prelude.Int + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) + -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops1] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - constant r : t_RangeInclusive'0 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - goal vc_range_inclusive_len'0 : ([%#sops1] not is_empty_log'0 r - -> deep_model'0 (start_log'0 r) <= deep_model'0 (end_log'0 r)) - -> (if is_empty_log'0 r then - [%#srange0] is_empty_log'0 r = (0 = 0) - else - [%#srange0] is_empty_log'0 r = (deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 = 0) - ) -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) + -> ([%#sops4] unnest'0 self res_state) use seq.Seq - type t_Idx'0 + use seq.Seq use seq.Seq - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + use seq.Seq use seq.Seq - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + use seq.Seq - use prelude.prelude.Int + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'1 a ab b) + -> ([%#siter12] produces'1 b bc c) -> ([%#siter13] produces'1 a (Seq.(++) ab bc) c) - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops5] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter10] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int - - = - [%#srange4] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + use prelude.prelude.Snapshot - axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange3] is_empty_log'0 r - = (range_inclusive_len'0 r = 0) + use prelude.prelude.Snapshot + + use prelude.prelude.Int use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) - + use seq.Seq + + use seq.Seq + + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + + + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + = - [%#srange2] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o - /\ (is_empty_log'0 self -> is_empty_log'0 o) - /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - constant self : t_RangeInclusive'0 + constant self : t_MapInv'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (self : t_RangeInclusive'0) : () - + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () - goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self + goal vc_produces_refl'0 : [%#smap_inv0] produces'0 self (Seq.empty : Seq.seq t_B'0) self end -module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 79 4 79 10 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 - let%span srange5 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span srange6 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_trans [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_Idx'0 + type t_I'0 - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + type t_F'0 - use seq.Seq + type t_Item'0 use seq.Seq - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 - - use prelude.prelude.Int - - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + use prelude.prelude.Snapshot - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + type t_B'0 - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops7] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + use seq.Seq - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - = - [%#srange6] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 - axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange5] is_empty_log'0 r - = (range_inclusive_len'0 r = 0) + use prelude.prelude.Borrow - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - = - [%#srange4] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o - /\ (is_empty_log'0 self -> is_empty_log'0 o) - /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - constant a : t_RangeInclusive'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops11] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - constant ab : Seq.seq t_Idx'0 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - constant b : t_RangeInclusive'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - constant bc : Seq.seq t_Idx'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) + -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) - constant c : t_RangeInclusive'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (a : t_RangeInclusive'0) (ab : Seq.seq t_Idx'0) (b : t_RangeInclusive'0) (bc : Seq.seq t_Idx'0) (c : t_RangeInclusive'0) : () + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) - -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_refl [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (* as std::iter::Iterator> *) - let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 31 14 31 45 - let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 29 4 29 10 - let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) + -> ([%#sops6] unnest'0 self res_state) use seq.Seq - type t_T'0 - use seq.Seq - type t_Repeat'0 = - { t_Repeat__element'0: t_T'0 } - - use prelude.prelude.Int + use seq.Seq use seq.Seq use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - = - [%#srepeat2] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) - constant self : t_Repeat'0 + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (self : t_Repeat'0) : () + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) + -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) - goal vc_produces_refl'0 : [%#srepeat0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_trans [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (* as std::iter::Iterator> *) - let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 36 15 36 32 - let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 37 15 37 32 - let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 38 14 38 42 - let%span srepeat3 = "../../../creusot-contracts/src/std/iter/repeat.rs" 34 4 34 10 - let%span srepeat4 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - type t_T'0 + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - type t_Repeat'0 = - { t_Repeat__element'0: t_T'0 } + use prelude.prelude.Snapshot - use seq.Seq + use prelude.prelude.Snapshot use prelude.prelude.Int @@ -4155,678 +4828,751 @@ module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__pro use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + + + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) = - [%#srepeat4] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) + [%#smap_inv4] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) use seq.Seq - constant a : t_Repeat'0 + constant a : t_MapInv'0 - constant ab : Seq.seq t_T'0 + constant ab : Seq.seq t_B'0 - constant b : t_Repeat'0 + constant b : t_MapInv'0 - constant bc : Seq.seq t_T'0 + constant bc : Seq.seq t_B'0 - constant c : t_Repeat'0 + constant c : t_MapInv'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (a : t_Repeat'0) (ab : Seq.seq t_T'0) (b : t_Repeat'0) (bc : Seq.seq t_T'0) (c : t_Repeat'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () - goal vc_produces_trans'0 : ([%#srepeat1] produces'0 b bc c) - -> ([%#srepeat0] produces'0 a ab b) -> ([%#srepeat2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#smap_inv1] produces'0 b bc c) + -> ([%#smap_inv0] produces'0 a ab b) -> ([%#smap_inv2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_refl [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (* as std::iter::Iterator> *) - let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 73 14 73 45 - let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 71 4 71 10 - let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 - let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 - let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_Item'0 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi5691635635396426195__resolve_coherence [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (* as resolve::Resolve> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 62 15 62 39 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 63 14 63 31 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 60 4 60 23 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 57 8 57 50 - use seq.Seq + use prelude.prelude.Borrow type t_I'0 - use prelude.prelude.UIntSize - - type t_Skip'0 = - { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } - - use prelude.prelude.Int + type t_F'0 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_B'0 - use prelude.prelude.UIntSize + use seq.Seq - function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + use prelude.prelude.Snapshot - axiom n'0_spec : forall self : t_Skip'0 . [%#sskip3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_B'0) } - use seq.Seq + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : Snapshot.snap_ty (Seq.seq t_B'0)) + = + true - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_I'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x - = match x with - | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter - end - - function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip4] inv'0 self -> inv'1 (iter'0 self) + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_MapInv'0) = + match _1 with + | {t_MapInv__iter'0 = x0 ; t_MapInv__func'0 = x1 ; t_MapInv__produced'0 = x2} -> resolve'1 x2 + /\ resolve'2 x1 /\ resolve'3 x0 + end - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 28] (self : t_MapInv'0) = + [%#smap_inv3] resolve'3 self.t_MapInv__iter'0 /\ resolve'2 self.t_MapInv__func'0 - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + constant self : t_MapInv'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function resolve_coherence'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (self : t_MapInv'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use seq.Seq + goal vc_resolve_coherence'0 : ([%#smap_inv0] structural_resolve'0 self) -> ([%#smap_inv1] resolve'0 self) +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4413682431414748756__next [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 90 4 90 44] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 91 39 91 58 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 94 16 94 76 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 95 31 95 71 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 99 38 99 88 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 100 32 100 63 + let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 105 32 105 56 + let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 17 90 21 + let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 26 90 44 + let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 86 14 89 5 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 103 26 106 17 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 162 27 162 52 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 163 26 163 71 + let%span smap_inv12 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 163 15 163 31 + let%span smap_inv13 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 164 4 164 60 + let%span smap_inv14 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 165 15 165 30 + let%span smap_inv15 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 166 15 166 64 + let%span smap_inv16 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 167 14 167 74 + let%span smap_inv17 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 168 14 168 75 + let%span smap_inv18 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 + let%span smap_inv19 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 + let%span smap_inv20 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9 + let%span smap_inv21 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 74 12 76 73 + let%span smap_inv22 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 + let%span smap_inv23 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 + let%span smap_inv24 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 117 12 119 63 + let%span smap_inv25 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sresolve26 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smap_inv27 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv28 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv29 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv30 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv31 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv32 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span siter33 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter34 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter35 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter36 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span sops37 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops38 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops39 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops40 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops41 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops42 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops43 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span smap_inv44 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 153 12 156 47 + let%span smap_inv45 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 + let%span sinvariant46 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 use prelude.prelude.Borrow - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) - - = - [%#sskip2] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o - \/ n'0 o = 0 - /\ Seq.length visited > 0 - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self - /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - - constant self : t_Skip'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (self : t_Skip'0) : () - - goal vc_produces_refl'0 : [%#sskip0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_trans [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (* as std::iter::Iterator> *) - let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 78 15 78 32 - let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 79 15 79 32 - let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 80 14 80 42 - let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 76 4 76 10 - let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 - let%span sskip5 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 - let%span sskip6 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + use prelude.prelude.Snapshot type t_I'0 - use prelude.prelude.UIntSize + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - type t_Skip'0 = - { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + type t_F'0 type t_Item'0 use seq.Seq - use seq.Seq - - use prelude.prelude.Int + use prelude.prelude.Snapshot - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - use prelude.prelude.UIntSize + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_I'0) = + [%#sinvariant46] inv'0 self.current /\ inv'0 self.final - function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_I'0) - axiom n'0_spec : forall self : t_Skip'0 . [%#sskip5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + axiom inv_axiom'2 [@rewrite] : forall x : borrowed t_I'0 [inv'4 x] . inv'4 x = invariant'2 x - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_Item'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate inv'9 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Item'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'5 x] . inv'5 x = match x with - | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + | C_None'0 -> true + | C_Some'0 a_0 -> inv'9 a_0 end - function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip6] inv'0 self -> inv'1 (iter'0 self) + use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter34] produces'0 a ab b) + -> ([%#siter35] produces'0 b bc c) -> ([%#siter36] produces'0 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter33] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + + predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) use seq.Seq - use prelude.prelude.Borrow + let rec next'1 (self:borrowed t_I'0) (return' (ret:t_Option'0))= {[@expl:next 'self' type invariant] inv'4 self} + any + [ return' (result:t_Option'0)-> {inv'5 result} + {[%#siter9] match result with + | C_None'0 -> completed'1 self + | C_Some'0 v -> produces'0 self.current (Seq.singleton v) self.final + end} + (! return' {result}) ] + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Item'0))= any + [ good (field_0:t_Item'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Item'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - = - [%#sskip4] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o - \/ n'0 o = 0 - /\ Seq.length visited > 0 - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self - /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - constant a : t_Skip'0 + use prelude.prelude.Snapshot - constant ab : Seq.seq t_Item'0 + use seq.Seq - constant b : t_Skip'0 + use prelude.prelude.Snapshot - constant bc : Seq.seq t_Item'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - constant c : t_Skip'0 + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_F'0) = + [%#sinvariant46] inv'1 self.current /\ inv'1 self.final - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (a : t_Skip'0) (ab : Seq.seq t_Item'0) (b : t_Skip'0) (bc : Seq.seq t_Item'0) (c : t_Skip'0) : () - + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_F'0) - goal vc_produces_trans'0 : ([%#sskip1] produces'0 b bc c) - -> ([%#sskip0] produces'0 a ab b) -> ([%#sskip2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_refl [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (* as std::iter::Iterator> *) - let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 71 14 71 45 - let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 69 4 69 10 - let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 - let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 - let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom inv_axiom'4 [@rewrite] : forall x : borrowed t_F'0 [inv'6 x] . inv'6 x = invariant'3 x - use seq.Seq + predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + - type t_Item'0 + axiom inv_axiom'5 [@rewrite] : forall x : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) [inv'7 x] . inv'7 x + = (let (x0, x1) = x in inv'9 x0) - use seq.Seq + type t_B'0 - type t_I'0 + predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) - use prelude.prelude.UIntSize + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + - type t_Take'0 = - { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - use prelude.prelude.Int + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - use prelude.prelude.UIntSize + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops43] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'2 res_state) - function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - axiom n'0_spec : forall self : t_Take'0 . [%#stake3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - use seq.Seq + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops40] unnest'0 self b) + -> ([%#sops41] unnest'0 b c) -> ([%#sops42] unnest'0 self c) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops39] unnest'0 self self - axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x - = match x with - | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter - end + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + - function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops37] postcondition_mut'0 self args res_state res) + -> ([%#sops38] unnest'0 self res_state) - axiom iter'0_spec : forall self : t_Take'0 . [%#stake4] inv'0 self -> inv'1 (iter'0 self) - - use seq.Seq - - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + let rec call_mut'0 (self:borrowed t_F'0) (args:(t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (return' (ret:t_B'0))= {[@expl:call_mut 'self' type invariant] inv'6 self} + {[@expl:call_mut 'args' type invariant] inv'7 args} + {[@expl:call_mut requires] [%#sops10] precondition'0 self.current args} + any + [ return' (result:t_B'0)-> {inv'8 result} + {[%#sops11] postcondition_mut'0 self.current args self.final result} + (! return' {result}) ] - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + predicate next_precondition'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 115 4 115 78] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + = + [%#smap_inv24] forall e : t_Item'0, i : t_I'0 . produces'0 iter (Seq.singleton e) i + -> precondition'0 func (e, Snapshot.new produced) - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) + + = + [%#smap_inv45] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new s) + -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + predicate reinitialize'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 151 4 151 33] (_1 : ()) = + [%#smap_inv44] forall iter : borrowed t_I'0, func : t_F'0 . completed'1 iter + -> next_precondition'0 iter.final func (Seq.empty : Seq.seq t_Item'0) /\ preservation'0 iter.final func - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) = - [%#stake2] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) - - constant self : t_Take'0 + [%#smap_inv23] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (self : t_Take'0) : () + axiom preservation_inv'0_spec : forall iter : t_I'0, func : t_F'0, produced : Seq.seq t_Item'0 . [%#smap_inv22] produced + = (Seq.empty : Seq.seq t_Item'0) -> preservation_inv'0 iter func produced = preservation'0 iter func - goal vc_produces_refl'0 : [%#stake0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_trans [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (* as std::iter::Iterator> *) - let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32 - let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 77 15 77 32 - let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 78 14 78 42 - let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 74 4 74 10 - let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 - let%span stake5 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 - let%span stake6 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 72 4 72 30] (self : t_MapInv'0) = + [%#smap_inv21] reinitialize'0 () + /\ preservation_inv'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) + /\ next_precondition'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) - type t_I'0 + function produces_one_invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 169 4 169 73] (self : t_MapInv'0) (e : t_Item'0) (r : t_B'0) (f : borrowed t_F'0) (iter : t_I'0) : () + - use prelude.prelude.UIntSize + axiom produces_one_invariant'0_spec : forall self : t_MapInv'0, e : t_Item'0, r : t_B'0, f : borrowed t_F'0, iter : t_I'0 . ([%#smap_inv12] invariant'0 self) + -> ([%#smap_inv13] produces'0 self.t_MapInv__iter'0 (Seq.singleton e) iter) + -> ([%#smap_inv14] f.current = self.t_MapInv__func'0) + -> ([%#smap_inv15] postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final r) + -> ([%#smap_inv16] preservation_inv'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) + && ([%#smap_inv17] next_precondition'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) - type t_Take'0 = - { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + use prelude.prelude.Snapshot - type t_Item'0 + use prelude.prelude.Snapshot use seq.Seq - use prelude.prelude.Int - - constant v_MAX'0 : usize = (18446744073709551615 : usize) + use seq.Seq - use prelude.prelude.UIntSize + use seq.Seq - function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + use seq.Seq - axiom n'0_spec : forall self : t_Take'0 . [%#stake5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + use seq.Seq use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x - = match x with - | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter - end + use prelude.prelude.Snapshot - function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + use prelude.prelude.Int - axiom iter'0_spec : forall self : t_Take'0 . [%#stake6] inv'0 self -> inv'1 (iter'0 self) + use seq.Seq use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use seq.Seq - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + predicate produces'1 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + = + [%#smap_inv25] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'0 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () = - [%#stake4] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) - - constant a : t_Take'0 - - constant ab : Seq.seq t_Item'0 + [%#smap_inv32] () - constant b : t_Take'0 + axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv29] produces'1 a ab b) + -> ([%#smap_inv30] produces'1 b bc c) -> ([%#smap_inv31] produces'1 a (Seq.(++) ab bc) c) - constant bc : Seq.seq t_Item'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = + [%#smap_inv28] () - constant c : t_Take'0 + axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv27] produces'1 self (Seq.empty : Seq.seq t_B'0) self - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (a : t_Take'0) (ab : Seq.seq t_Item'0) (b : t_Take'0) (bc : Seq.seq t_Item'0) (c : t_Take'0) : () + predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) + = + [%#smap_inv19] exists f : borrowed t_F'0, e : t_Item'0 . f.current = self.t_MapInv__func'0 + /\ f.final = succ.t_MapInv__func'0 + /\ produces'0 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e + /\ precondition'0 f.current (e, self.t_MapInv__produced'0) + /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited - goal vc_produces_trans'0 : ([%#stake1] produces'0 b bc c) - -> ([%#stake0] produces'0 a ab b) -> ([%#stake2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_refl [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (* as std::iter::Iterator> *) - let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45 - let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 53 4 53 10 - let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 - let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 - let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_Item'0 - - type t_Item'1 - - use seq.Seq - - type t_A'0 - - type t_B'0 - - use prelude.prelude.UIntSize - - type t_Zip'0 = - { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + axiom produces_one'0_spec : forall self : t_MapInv'0, visited : t_B'0, succ : t_MapInv'0 . [%#smap_inv18] produces_one'0 self visited succ + = produces'1 self (Seq.singleton visited) succ - use seq.Seq + predicate inv'10 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_MapInv'0) - use seq.Seq + axiom inv_axiom'6 [@rewrite] : forall x : t_MapInv'0 [inv'10 x] . inv'10 x + = (invariant'0 x + /\ match x with + | {t_MapInv__iter'0 = iter ; t_MapInv__func'0 = func ; t_MapInv__produced'0 = produced} -> inv'0 iter /\ inv'1 func + end) - use seq.Seq + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_MapInv'0)) = + [%#sinvariant46] inv'10 self.current /\ inv'10 self.final - use seq.Seq + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_MapInv'0)) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_MapInv'0) [inv'2 x] . inv'2 x = invariant'1 x - use prelude.prelude.Int + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_MapInv'0)) = + [%#sresolve26] self.final = self.current - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_MapInv'0)) = + resolve'1 _1 - use seq.Seq + type t_Option'1 = + | C_None'1 + | C_Some'1 t_B'0 - use seq.Seq + use prelude.prelude.Intrinsic - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + use prelude.prelude.Snapshot - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + use prelude.prelude.Snapshot - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) - axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'1 [inv'3 x] . inv'3 x = match x with - | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a - /\ inv'2 b + | C_None'1 -> true + | C_Some'1 a_0 -> inv'8 a_0 end - function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 - - axiom itera'0_spec : forall self : t_Zip'0 . [%#szip3] inv'0 self -> inv'1 (itera'0 self) - - use seq.Seq - - use seq.Seq - - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) - - - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + predicate completed'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 14 4 14 35] (self : borrowed (t_MapInv'0)) + = + [%#smap_inv20] Snapshot.inner (self.final).t_MapInv__produced'0 = (Seq.empty : Seq.seq t_Item'0) + /\ completed'1 (Borrow.borrow_logic (self.current).t_MapInv__iter'0 (self.final).t_MapInv__iter'0 (Borrow.inherit_id (Borrow.get_id self) 1)) + /\ (self.current).t_MapInv__func'0 = (self.final).t_MapInv__func'0 - axiom produces_trans'0_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () - - axiom produces_refl'1_spec : forall self : t_A'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 - - axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip4] inv'0 self -> inv'2 (iterb'0 self) + meta "compute_max_steps" 1000000 - use seq.Seq - - use seq.Seq - - predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) - - - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + let rec next'0 (self:borrowed (t_MapInv'0)) (return' (ret:t_Option'1))= {[@expl:next 'self' type invariant] [%#smap_inv6] inv'2 self} + (! bb0 + [ bb0 = s0 [ s0 = [ &old_self <- [%#smap_inv0] Snapshot.new self.current ] s1 | s1 = bb1 ] + | bb1 = s0 + [ s0 = {inv'0 (self.current).t_MapInv__iter'0} + Borrow.borrow_final {(self.current).t_MapInv__iter'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_I'0) -> + [ &_6 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { self.current with t_MapInv__iter'0 = _ret'.final } } ] + s1) + | s1 = next'1 {_6} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s2) + | s2 = bb2 ] + + | bb2 = any [ br0 -> {_5 = C_None'0 } (! bb5) | br1 (x0:t_Item'0)-> {_5 = C_Some'0 x0} (! bb4) ] + | bb4 = bb6 + | bb6 = s0 + [ s0 = v_Some'0 {_5} (fun (r0'0:t_Item'0) -> [ &v <- r0'0 ] s1) + | s1 = {[@expl:assertion] [%#smap_inv1] precondition'0 (self.current).t_MapInv__func'0 (v, (self.current).t_MapInv__produced'0)} + s2 + | s2 = bb7 ] + + | bb7 = s0 + [ s0 = + [ &produced <- [%#smap_inv2] Snapshot.new (Seq.snoc (Snapshot.inner (self.current).t_MapInv__produced'0) v) ] + + s1 + | s1 = bb8 ] + + | bb8 = s0 + [ s0 = {inv'1 (self.current).t_MapInv__func'0} + Borrow.borrow_final {(self.current).t_MapInv__func'0} {Borrow.inherit_id (Borrow.get_id self) 2} + (fun (_ret':borrowed t_F'0) -> + [ &_14 <- _ret' ] + -{inv'1 _ret'.final}- + [ &self <- { self with current = { self.current with t_MapInv__func'0 = _ret'.final } } ] + s1) + | s1 = [ &_15 <- (v, (self.current).t_MapInv__produced'0) ] s2 + | s2 = call_mut'0 {_14} {_15} (fun (_ret':t_B'0) -> [ &r <- _ret' ] s3) + | s3 = bb9 ] + + | bb9 = bb10 + | bb10 = s0 + [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = produced } } ] s1 + | s1 = [ &_19 <- [%#smap_inv3] Snapshot.new (let _ = () in ()) ] s2 + | s2 = bb11 ] + + | bb11 = s0 + [ s0 = {[@expl:assertion] [%#smap_inv4] produces_one'0 (Snapshot.inner old_self) r self.current} s1 | s1 = bb12 ] + + | bb12 = s0 + [ s0 = {[@expl:type invariant] inv'2 self} s1 + | s1 = -{resolve'0 self}- s2 + | s2 = [ &_0 <- C_Some'1 r ] s3 + | s3 = bb13 ] + + | bb13 = bb14 + | bb14 = bb15 + | bb15 = bb17 + | bb5 = s0 [ s0 = [ &_24 <- [%#smap_inv5] Snapshot.new (Seq.empty : Seq.seq t_Item'0) ] s1 | s1 = bb16 ] + | bb16 = s0 + [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = _24 } } ] s1 + | s1 = {[@expl:type invariant] inv'2 self} s2 + | s2 = -{resolve'0 self}- s3 + | s3 = [ &_0 <- C_None'1 ] s4 + | s4 = bb17 ] + + | bb17 = bb18 + | bb18 = return' {_0} ] + ) + [ & _0 : t_Option'1 = any_l () + | & self : borrowed (t_MapInv'0) = self + | & old_self : Snapshot.snap_ty (t_MapInv'0) = any_l () + | & _5 : t_Option'0 = any_l () + | & _6 : borrowed t_I'0 = any_l () + | & v : t_Item'0 = any_l () + | & produced : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () + | & r : t_B'0 = any_l () + | & _14 : borrowed t_F'0 = any_l () + | & _15 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) = any_l () + | & _19 : Snapshot.snap_ty () = any_l () + | & _24 : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () ] - - axiom produces_trans'1_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter6] produces'2 a ab b) - -> ([%#siter7] produces'2 b bc c) -> ([%#siter8] produces'2 a (Seq.(++) ab bc) c) - - function produces_refl'2 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () - - axiom produces_refl'2_spec : forall self : t_B'0 . [%#siter5] produces'2 self (Seq.empty : Seq.seq t_Item'1) self - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + [ return' (result:t_Option'1)-> {[@expl:next result type invariant] [%#smap_inv7] inv'3 result} + {[@expl:next ensures] [%#smap_inv8] match result with + | C_None'1 -> completed'0 self + | C_Some'1 v -> produces_one'0 self.current v self.final + end} + (! return' {result}) ] - = - [%#szip2] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 - /\ Seq.length p2 = Seq.length visited - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) - /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) - - constant self : t_Zip'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (self : t_Zip'0) : () - - goal vc_produces_refl'0 : [%#szip0] produces'0 self (Seq.empty : Seq.seq (t_Item'0, t_Item'1)) self end -module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_trans [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (* as std::iter::Iterator> *) - let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32 - let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32 - let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42 - let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 58 4 58 10 - let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 - let%span szip5 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 - let%span szip6 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - type t_A'0 - - type t_B'0 - - use prelude.prelude.UIntSize - - type t_Zip'0 = - { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } - - type t_Item'0 - - type t_Item'1 - - use seq.Seq - - use seq.Seq - - use seq.Seq - - use seq.Seq - - use seq.Seq +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__preservation_inv [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (* std::iter::map_inv::MapInv::Item, F> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 + let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - use prelude.prelude.Int + type t_Item'0 use seq.Seq - use seq.Seq + type t_I'0 - use seq.Seq + type t_F'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + use prelude.prelude.Borrow - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + type t_B'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + use prelude.prelude.Snapshot - axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x - = match x with - | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a - /\ inv'2 b - end + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + - function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - axiom itera'0_spec : forall self : t_Zip'0 . [%#szip5] inv'0 self -> inv'1 (itera'0 self) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - use seq.Seq + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) - + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - axiom produces_trans'1_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) + -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - axiom produces_refl'0_spec : forall self : t_A'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self - function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + - axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip6] inv'0 self -> inv'2 (iterb'0 self) + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) + -> ([%#sops4] unnest'0 self res_state) use seq.Seq use seq.Seq - predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'2 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'2_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter8] produces'2 a ab b) - -> ([%#siter9] produces'2 b bc c) -> ([%#siter10] produces'2 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'0 a ab b) + -> ([%#siter12] produces'0 b bc c) -> ([%#siter13] produces'0 a (Seq.(++) ab bc) c) - axiom produces_refl'1_spec : forall self : t_B'0 . [%#siter7] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) - - = - [%#szip4] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 - /\ Seq.length p2 = Seq.length visited - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) - /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter10] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - use seq.Seq + use prelude.prelude.Snapshot - constant a : t_Zip'0 + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + - constant ab : Seq.seq (t_Item'0, t_Item'1) + predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) + + = + [%#smap_inv2] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new s) + -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - constant b : t_Zip'0 + constant iter : t_I'0 - constant bc : Seq.seq (t_Item'0, t_Item'1) + constant func : t_F'0 - constant c : t_Zip'0 + constant produced : Seq.seq t_Item'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (a : t_Zip'0) (ab : Seq.seq (t_Item'0, t_Item'1)) (b : t_Zip'0) (bc : Seq.seq (t_Item'0, t_Item'1)) (c : t_Zip'0) : () + predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - goal vc_produces_trans'0 : ([%#szip1] produces'0 b bc c) - -> ([%#szip0] produces'0 a ab b) -> ([%#szip2] produces'0 a (Seq.(++) ab bc) c) + goal vc_preservation_inv'0 : [%#smap_inv0] produced = (Seq.empty : Seq.seq t_Item'0) + -> ([%#smap_inv1] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) + = preservation'0 iter func end -module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_refl [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (* <&mut I as std::iter::Iterator> *) - let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 222 14 222 45 - let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 220 4 220 10 - let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 - let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__produces_one [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (* std::iter::map_inv::MapInv::Item, F> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops15 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops16 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops17 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops18 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops19 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + + use seq.Seq use seq.Seq + type t_I'0 + + type t_F'0 + type t_Item'0 use seq.Seq - use prelude.prelude.Borrow + use prelude.prelude.Snapshot - type t_I'0 + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + + type t_B'0 use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + use seq.Seq + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter4] produces'1 a ab b) - -> ([%#siter5] produces'1 b bc c) -> ([%#siter6] produces'1 a (Seq.(++) ab bc) c) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops19] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter3] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - = - [%#siter2] produces'1 self.current visited o.current /\ self.final = o.final - constant self : borrowed t_I'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops16] unnest'0 self b) + -> ([%#sops17] unnest'0 b c) -> ([%#sops18] unnest'0 self c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (self : borrowed t_I'0) : () + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - goal vc_produces_refl'0 : [%#siter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_trans [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (* <&mut I as std::iter::Iterator> *) - let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 227 15 227 32 - let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 228 15 228 32 - let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 229 14 229 42 - let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 225 4 225 10 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops15] unnest'0 self self - use prelude.prelude.Borrow + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + - type t_I'0 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops13] postcondition_mut'0 self args res_state res) + -> ([%#sops14] unnest'0 self res_state) - type t_Item'0 + use seq.Seq + + use seq.Seq + + use seq.Seq use seq.Seq @@ -4840,1158 +5586,2322 @@ module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_tr function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter10] produces'1 a ab b) + -> ([%#siter11] produces'1 b bc c) -> ([%#siter12] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter9] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + + + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) = - [%#siter4] produces'1 self.current visited o.current /\ self.final = o.final + [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - constant a : borrowed t_I'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + + = + [%#smap_inv8] () - constant ab : Seq.seq t_Item'0 + axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv5] produces'0 a ab b) + -> ([%#smap_inv6] produces'0 b bc c) -> ([%#smap_inv7] produces'0 a (Seq.(++) ab bc) c) - constant b : borrowed t_I'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = + [%#smap_inv4] () - constant bc : Seq.seq t_Item'0 + axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv3] produces'0 self (Seq.empty : Seq.seq t_B'0) self - constant c : borrowed t_I'0 + use seq.Seq - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (a : borrowed t_I'0) (ab : Seq.seq t_Item'0) (b : borrowed t_I'0) (bc : Seq.seq t_Item'0) (c : borrowed t_I'0) : () + use seq.Seq + + constant self : t_MapInv'0 + + constant visited : t_B'0 + + constant succ : t_MapInv'0 + + predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - goal vc_produces_trans'0 : ([%#siter1] produces'0 b bc c) - -> ([%#siter0] produces'0 a ab b) -> ([%#siter2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_one'0 : [%#smap_inv0] ([%#smap_inv1] exists f : borrowed t_F'0, e : t_Item'0 . f.current + = self.t_MapInv__func'0 + /\ f.final = succ.t_MapInv__func'0 + /\ produces'1 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e + /\ precondition'0 f.current (e, self.t_MapInv__produced'0) + /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited) + = produces'0 self (Seq.singleton visited) succ end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_unwrap_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 103 16 105 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 103 43 103 44 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 103 52 103 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 99 26 102 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_refl [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (* as std::iter::Iterator> *) + let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 31 14 31 45 + let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 29 4 29 10 + let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 + + use seq.Seq type t_T'0 + use seq.Seq + type t_Option'0 = | C_None'0 | C_Some'0 t_T'0 - type t_F'0 + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - use prelude.prelude.Borrow + type t_Once'0 = + { t_Once__inner'0: t_IntoIter'0 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + = + [%#sonce2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + constant self : t_Once'0 - axiom inv_axiom'1 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (self : t_Once'0) : () - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + goal vc_produces_refl'0 : [%#sonce0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_trans [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (* as std::iter::Iterator> *) + let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 36 15 36 32 + let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 37 15 37 32 + let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 38 14 38 42 + let%span sonce3 = "../../../creusot-contracts/src/std/iter/once.rs" 34 4 34 10 + let%span sonce4 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_T'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) - + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_T'0)-> {inv'2 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] - + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - use prelude.prelude.Intrinsic + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + type t_Once'0 = + { t_Once__inner'0: t_IntoIter'0 } - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end - - meta "compute_max_steps" 1000000 + use seq.Seq - let rec extern_spec_std_option_T_Option_T_unwrap_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- t ] s4 - | s4 = bb8 ] - - | bb8 = bb9 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb9 - | bb9 = bb10 - | bb10 = bb11 - | bb11 = return' {_0} ] - ) - [ & _0 : t_T'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & _7 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body result type invariant] [%#soption2] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> postcondition_once'0 f () result - | C_Some'0 t -> result = t - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_body [#"../../../creusot-contracts/src/std/option.rs" 131 16 133 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 131 35 131 36 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 123 27 126 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 131 44 131 53 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 127 26 130 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + use seq.Seq - type t_T'0 + function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - type t_Option'1 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + = + [%#sonce4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - type t_F'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + constant a : t_Once'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant ab : Seq.seq t_T'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant b : t_Once'0 - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + constant bc : Seq.seq t_T'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + constant c : t_Once'0 - type t_U'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (a : t_Once'0) (ab : Seq.seq t_T'0) (b : t_Once'0) (bc : Seq.seq t_T'0) (c : t_Once'0) : () + - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + goal vc_produces_trans'0 : ([%#sonce1] produces'0 b bc c) + -> ([%#sonce0] produces'0 a ab b) -> ([%#sonce2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 30 4 30 10 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + type t_Idx'0 - type t_Option'0 = - | C_None'1 - | C_Some'1 t_U'0 + use seq.Seq - use prelude.prelude.Borrow + type t_Range'0 = + { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Intrinsic + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'5 a_0 - end + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + + = + [%#srange2] self.t_Range__end'0 = o.t_Range__end'0 + /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 + /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) + /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'4 a_0 - end + constant self : t_Range'0 - meta "compute_max_steps" 1000000 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (self : t_Range'0) : () - let rec extern_spec_std_option_T_Option_T_map_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_map_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_map_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_9 <- (t) ] s2 - | s2 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_7 <- _ret' ] s3) - | s3 = bb7 ] - - | bb7 = bb8 - | bb8 = s0 [ s0 = [ &_0 <- C_Some'1 _7 ] s1 | s1 = bb9 ] - | bb9 = bb10 - | bb10 = bb11 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb11 ] - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'1 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _7 : t_U'0 = any_l () - | & _9 : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_map_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'1 - | C_Some'0 t -> exists r : t_U'0 . result = C_Some'1 r /\ postcondition_once'0 f (t) r - end} - (! return' {result}) ] - + goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_inspect_body [#"../../../creusot-contracts/src/std/option.rs" 149 16 151 33] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 149 36 149 37 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 140 27 143 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 149 45 149 54 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 145 26 148 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - - type t_T'0 +module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 35 4 35 10 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_Idx'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + type t_Range'0 = + { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } - type t_F'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Borrow + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant6] inv'4 self + use seq.Seq - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + + = + [%#srange4] self.t_Range__end'0 = o.t_Range__end'0 + /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 + /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) + /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant a : t_Range'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = (let (x0) = x in inv'5 x0) + constant ab : Seq.seq t_Idx'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + constant b : t_Range'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + constant bc : Seq.seq t_Idx'0 - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + constant c : t_Range'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : ()) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (a : t_Range'0) (ab : Seq.seq t_Idx'0) (b : t_Range'0) (bc : Seq.seq t_Idx'0) (c : t_Range'0) : () - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:()))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'2 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any [ return' (result:())-> {inv'3 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) + -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__range__range_inclusive_len [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span sops1 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + type t_Idx'0 - use prelude.prelude.Intrinsic + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end - - meta "compute_max_steps" 1000000 - - let rec extern_spec_std_option_T_Option_T_inspect_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = any [ br0 -> {self_ = C_None'0 } (! bb5) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb6) ] - | bb6 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_12 <- t ] s2 - | s2 = [ &_10 <- (_12) ] s3 - | s3 = call_once'0 {f} {_10} (fun (_ret':()) -> [ &_8 <- _ret' ] s4) - | s4 = bb8 ] - - | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] - | bb9 = bb10 - | bb10 = bb11 - | bb5 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb7 ] - | bb7 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb11 ] - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _8 : () = any_l () - | & _10 : t_T'0 = any_l () - | & _12 : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_inspect_body result type invariant] [%#soption3] inv'1 result} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #0] [%#soption0] result = self_} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #1] [%#soption4] match self_ with - | C_None'0 -> true - | C_Some'0 t -> postcondition_once'0 f (t) () - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_body [#"../../../creusot-contracts/src/std/option.rs" 166 16 168 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 166 38 166 45 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 166 50 166 51 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 158 27 161 17 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 166 59 166 60 - let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 162 26 165 17 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - - type t_T'0 + use prelude.prelude.Int - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - type t_U'0 + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool - use prelude.prelude.Borrow + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops1] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_U'0) + constant r : t_RangeInclusive'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int - type t_F'0 - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + goal vc_range_inclusive_len'0 : ([%#sops1] not is_empty_log'0 r + -> deep_model'0 (start_log'0 r) <= deep_model'0 (end_log'0 r)) + -> (if is_empty_log'0 r then + [%#srange0] is_empty_log'0 r = (0 = 0) + else + [%#srange0] is_empty_log'0 r = (deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 = 0) + ) +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Idx'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops6] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'0 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] - + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Intrinsic + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool - meta "compute_max_steps" 1000000 + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops5] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) - let rec extern_spec_std_option_T_Option_T_map_or_body'0 (self_:t_Option'0) (default:t_U'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'default' type invariant] [%#soption1] inv'0 default} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'f' type invariant] [%#soption2] inv'1 f} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body requires] [%#soption3] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 default} s1 - | s1 = -{resolve'0 default}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_9 <- (t) ] s4 - | s4 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) - | s5 = bb7 ] - - | bb7 = bb8 - | bb8 = bb9 - | bb9 = bb10 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- default ] s1 | s1 = bb10 ] - | bb10 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_U'0 = any_l () - | & self_ : t_Option'0 = self_ - | & default : t_U'0 = default - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _9 : t_T'0 = any_l () ] - - [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_body result type invariant] [%#soption4] inv'0 result} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body ensures] [%#soption5] match self_ with - | C_None'0 -> result = default - | C_Some'0 t -> postcondition_once'0 f (t) result - end} - (! return' {result}) ] + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 183 16 186 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 183 46 183 53 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 183 58 183 59 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 175 27 178 17 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 183 67 183 68 - let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 179 26 182 17 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + = + [%#srange4] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 - type t_T'0 + axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange3] is_empty_log'0 r + = (range_inclusive_len'0 r = 0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - type t_D'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + + = + [%#srange2] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o + /\ (is_empty_log'0 self -> is_empty_log'0 o) + /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_D'0) + constant self : t_RangeInclusive'0 - use prelude.prelude.Borrow + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (self : t_RangeInclusive'0) : () + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_D'0) + goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 79 4 79 10 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 + let%span srange5 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span srange6 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + type t_Idx'0 - type t_F'0 + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = (let (x0) = x in inv'6 x0) + use prelude.prelude.Int - predicate precondition'1 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - type t_U'0 + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool - predicate postcondition_once'1 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops7] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'4 args} - {[@expl:call_once requires] [%#sops6] precondition'1 self args} - any - [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'1 self args result} (! return' {result}) ] + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + = + [%#srange6] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange5] is_empty_log'0 r + = (range_inclusive_len'0 r = 0) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + use seq.Seq - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true - - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_D'0) (args : ()) - - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_D'0) (args : ()) (result : t_U'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + = + [%#srange4] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o + /\ (is_empty_log'0 self -> is_empty_log'0 o) + /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) - let rec call_once'1 (self:t_D'0) (args:()) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops6] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] - + use seq.Seq - use prelude.prelude.Intrinsic + constant a : t_RangeInclusive'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + constant ab : Seq.seq t_Idx'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'6 a_0 - end + constant b : t_RangeInclusive'0 - meta "compute_max_steps" 1000000 + constant bc : Seq.seq t_Idx'0 - let rec extern_spec_std_option_T_Option_T_map_or_else_body'0 (self_:t_Option'0) (default:t_D'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'default' type invariant] [%#soption1] inv'0 default} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'f' type invariant] [%#soption2] inv'1 f} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body requires] [%#soption3] match self_ with - | C_None'0 -> precondition'0 default () - | C_Some'0 t -> precondition'1 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 default} s1 - | s1 = -{resolve'0 default}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_11 <- (t) ] s4 - | s4 = call_once'0 {f} {_11} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) - | s5 = bb8 ] - - | bb8 = bb9 - | bb9 = bb10 - | bb10 = bb11 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = call_once'1 {default} {_8} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = bb14 - | bb14 = return' {_0} ] - ) - [ & _0 : t_U'0 = any_l () - | & self_ : t_Option'0 = self_ - | & default : t_D'0 = default - | & f : t_F'0 = f - | & _8 : () = any_l () - | & t : t_T'0 = any_l () - | & _11 : t_T'0 = any_l () ] - - [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body result type invariant] [%#soption4] inv'3 result} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body ensures] [%#soption5] match self_ with - | C_None'0 -> postcondition_once'0 default () result - | C_Some'0 t -> postcondition_once'1 f (t) result - end} - (! return' {result}) ] + constant c : t_RangeInclusive'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (a : t_RangeInclusive'0) (ab : Seq.seq t_Idx'0) (b : t_RangeInclusive'0) (bc : Seq.seq t_Idx'0) (c : t_RangeInclusive'0) : () + + goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) + -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_ok_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 204 16 206 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 204 42 204 45 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 204 53 204 65 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 200 26 203 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_refl [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (* as std::iter::Iterator> *) + let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 31 14 31 45 + let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 29 4 29 10 + let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + + use seq.Seq type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - type t_F'0 + type t_Repeat'0 = + { t_Repeat__element'0: t_T'0 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Borrow + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 - type t_E'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + + = + [%#srepeat2] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) - type t_Result'0 = - | C_Ok'0 t_T'0 - | C_Err'0 t_E'0 + constant self : t_Repeat'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (self : t_Repeat'0) : () - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + goal vc_produces_refl'0 : [%#srepeat0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_trans [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (* as std::iter::Iterator> *) + let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 36 15 36 32 + let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 37 15 37 32 + let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 38 14 38 42 + let%span srepeat3 = "../../../creusot-contracts/src/std/iter/repeat.rs" 34 4 34 10 + let%span srepeat4 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + type t_T'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_E'0) + type t_Repeat'0 = + { t_Repeat__element'0: t_T'0 } - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_E'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_E'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_E'0)-> {inv'4 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] - + use prelude.prelude.Int - use prelude.prelude.Intrinsic + use seq.Seq - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'5 a_0 - end + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + + = + [%#srepeat4] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Result'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Result'0 [inv'2 x] . inv'2 x - = match x with - | C_Ok'0 a_0 -> inv'5 a_0 - | C_Err'0 a_0 -> inv'4 a_0 - end + constant a : t_Repeat'0 - meta "compute_max_steps" 1000000 + constant ab : Seq.seq t_T'0 - let rec extern_spec_std_option_T_Option_T_ok_or_else_body'0 (self_:t_Option'0) (err:t_F'0) (return' (ret:t_Result'0))= {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'err' type invariant] [%#soption1] inv'0 err} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 err ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 err} s1 - | s1 = -{resolve'0 err}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- C_Ok'0 t ] s4 - | s4 = bb9 ] - - | bb9 = bb10 - | bb10 = bb11 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {err} {_8} (fun (_ret':t_E'0) -> [ &_6 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = s0 [ s0 = [ &_0 <- C_Err'0 _6 ] s1 | s1 = bb8 ] - | bb8 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Result'0 = any_l () - | & self_ : t_Option'0 = self_ - | & err : t_F'0 = err - | & _6 : t_E'0 = any_l () - | & _8 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_Result'0)-> {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body result type invariant] [%#soption2] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> exists r : t_E'0 . result = C_Err'0 r /\ postcondition_once'0 err () r - | C_Some'0 t -> result = C_Ok'0 t - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_and_then_body [#"../../../creusot-contracts/src/std/option.rs" 234 16 236 45] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 234 40 234 41 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 226 27 229 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 234 49 234 58 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 230 26 233 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + constant b : t_Repeat'0 - type t_T'0 + constant bc : Seq.seq t_T'0 - type t_Option'1 = - | C_None'0 - | C_Some'0 t_T'0 + constant c : t_Repeat'0 - let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (a : t_Repeat'0) (ab : Seq.seq t_T'0) (b : t_Repeat'0) (bc : Seq.seq t_T'0) (c : t_Repeat'0) : () - type t_F'0 + goal vc_produces_trans'0 : ([%#srepeat1] produces'0 b bc c) + -> ([%#srepeat0] produces'0 a ab b) -> ([%#srepeat2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_refl [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (* as std::iter::Iterator> *) + let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 73 14 73 45 + let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 71 4 71 10 + let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 + let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 + let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Item'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + type t_I'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + use prelude.prelude.UIntSize - type t_U'0 + type t_Skip'0 = + { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } - type t_Option'0 = - | C_None'1 - | C_Some'1 t_U'0 - - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) - - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'5 a_0 - end + constant v_MAX'0 : usize = (18446744073709551615 : usize) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_Option'0) - + use prelude.prelude.UIntSize - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_Option'0)-> {inv'2 result} - {[%#sops5] postcondition_once'0 self args result} - (! return' {result}) ] - + function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int - use prelude.prelude.Borrow + axiom n'0_spec : forall self : t_Skip'0 . [%#sskip3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - use prelude.prelude.Intrinsic + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 + | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter end - meta "compute_max_steps" 1000000 + function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 - let rec extern_spec_std_option_T_Option_T_and_then_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_8 <- (t) ] s2 - | s2 = call_once'0 {f} {_8} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s3) - | s3 = bb7 ] - - | bb7 = bb8 - | bb8 = bb9 - | bb9 = bb10 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb10 ] - | bb10 = bb11 - | bb11 = bb12 - | bb12 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'1 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _8 : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_and_then_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'1 - | C_Some'0 t -> postcondition_once'0 f (t) result - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_filter_body [#"../../../creusot-contracts/src/std/option.rs" 254 16 256 41] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 254 35 254 44 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 243 27 246 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 254 52 254 61 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 247 26 253 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip4] inv'0 self -> inv'1 (iter'0 self) - type t_T'0 + use seq.Seq - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - type t_P'0 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + use seq.Seq use prelude.prelude.Borrow - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant6] inv'0 self + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + + = + [%#sskip2] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o + \/ n'0 o = 0 + /\ Seq.length visited > 0 + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self + /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant self : t_Skip'0 - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (self : t_Skip'0) : () - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal vc_produces_refl'0 : [%#sskip0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_trans [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (* as std::iter::Iterator> *) + let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 78 15 78 32 + let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 79 15 79 32 + let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 80 14 80 42 + let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 76 4 76 10 + let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 + let%span sskip5 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 + let%span sskip6 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + type t_I'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : t_T'0) + use prelude.prelude.UIntSize - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + type t_Skip'0 = + { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } - axiom inv_axiom'2 [@rewrite] : forall x : bool [inv'4 x] . inv'4 x = true + type t_Item'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : t_T'0) (result : bool) - + use seq.Seq - let rec call_once'0 (self:t_P'0) (args:t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:bool)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + use prelude.prelude.Int - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + constant v_MAX'0 : usize = (18446744073709551615 : usize) - use prelude.prelude.Intrinsic + use prelude.prelude.UIntSize - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + axiom n'0_spec : forall self : t_Skip'0 . [%#sskip5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'0 a_0 + | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter end - meta "compute_max_steps" 1000000 + function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 - let rec extern_spec_std_option_T_Option_T_filter_body'0 (self_:t_Option'0) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_filter_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_filter_body 'predicate' type invariant] [%#soption1] inv'1 predicate'} - {[@expl:extern_spec_std_option_T_Option_T_filter_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 predicate' (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_11 <- t ] s2 - | s2 = [ &_9 <- (_11) ] s3 - | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) - | s4 = bb7 ] - - | bb7 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] - | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] - | bb9 = bb12 - | bb10 = s0 [ s0 = {[@expl:type invariant] inv'0 t} s1 | s1 = -{resolve'0 t}- s2 | s2 = bb11 ] - | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] - | bb12 = bb13 - | bb13 = bb14 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 predicate'} s1 | s1 = -{resolve'1 predicate'}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb14 ] - | bb14 = bb15 - | bb15 = bb16 - | bb16 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & predicate' : t_P'0 = predicate' - | & t : t_T'0 = any_l () - | & _7 : bool = any_l () - | & _9 : t_T'0 = any_l () - | & _11 : t_T'0 = any_l () ] + axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip6] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_filter_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_filter_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'0 - | C_Some'0 t -> match result with - | C_None'0 -> postcondition_once'0 predicate' (t) false /\ resolve'0 t - | C_Some'0 r -> postcondition_once'0 predicate' (t) true /\ r = t - end - end} - (! return' {result}) ] + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 273 16 275 44] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 273 36 273 37 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 273 45 273 54 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 269 26 272 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - type t_T'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - type t_F'0 + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq use prelude.prelude.Borrow - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + = + [%#sskip4] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o + \/ n'0 o = 0 + /\ Seq.length visited > 0 + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self + /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) - - axiom inv_axiom'1 [@rewrite] : forall x : () [inv'2 x] . inv'2 x = true + constant a : t_Skip'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + constant ab : Seq.seq t_Item'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant b : t_Skip'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + constant bc : Seq.seq t_Item'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'3 a_0 - end + constant c : t_Skip'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_Option'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (a : t_Skip'0) (ab : Seq.seq t_Item'0) (b : t_Skip'0) (bc : Seq.seq t_Item'0) (c : t_Skip'0) : () - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'2 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_Option'0)-> {inv'1 result} - {[%#sops4] postcondition_once'0 self args result} - (! return' {result}) ] - + goal vc_produces_trans'0 : ([%#sskip1] produces'0 b bc c) + -> ([%#sskip0] produces'0 a ab b) -> ([%#sskip2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_refl [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (* as std::iter::Iterator> *) + let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 71 14 71 45 + let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 69 4 69 10 + let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 + let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 + let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - use prelude.prelude.Intrinsic + use seq.Seq - meta "compute_max_steps" 1000000 + type t_Item'0 - let rec extern_spec_std_option_T_Option_T_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- C_Some'0 t ] s4 - | s4 = bb8 ] - - | bb8 = bb9 - | bb9 = bb10 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb10 - | bb10 = bb11 - | bb11 = bb12 - | bb12 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & _7 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_or_else_body result type invariant] [%#soption2] inv'1 result} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> postcondition_once'0 f () result - | C_Some'0 t -> result = C_Some'0 t - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_get_or_insert_with_body [#"../../../creusot-contracts/src/std/option.rs" 311 16 313 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 311 52 311 53 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 306 27 306 63 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 311 61 311 67 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 307 26 310 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span soption6 = "../../../creusot-contracts/src/std/option.rs" 62 26 62 75 - let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 64 20 65 100 - let%span sresolve8 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sresolve9 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - let%span sinvariant10 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + use seq.Seq - type t_T'0 + type t_I'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.UIntSize - type t_F'0 + type t_Take'0 = + { t_Take__iter'0: t_I'0; t_Take__n'0: usize } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Borrow + constant v_MAX'0 : usize = (18446744073709551615 : usize) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.UIntSize - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + axiom n'0_spec : forall self : t_Take'0 . [%#stake3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant10] inv'1 self.current /\ inv'1 self.final + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) - predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve8] self.final = self.current + axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x + = match x with + | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter + end - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'4 _1 + function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + axiom iter'0_spec : forall self : t_Take'0 . [%#stake4] inv'0 self -> inv'1 (iter'0 self) - axiom inv_axiom'3 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_T'0)-> {inv'1 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + = + [%#stake2] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + constant self : t_Take'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'1 a_0 - end + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (self : t_Take'0) : () - predicate resolve'7 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + goal vc_produces_refl'0 : [%#stake0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_trans [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (* as std::iter::Iterator> *) + let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32 + let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 77 15 77 32 + let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 78 14 78 42 + let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 74 4 74 10 + let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 + let%span stake5 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 + let%span stake6 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - predicate resolve'5 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = - [%#sresolve9] match self with - | C_Some'0 x -> resolve'7 x - | C_None'0 -> true - end + type t_I'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Option'0) = - resolve'5 _1 + use prelude.prelude.UIntSize - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = - [%#sinvariant10] inv'3 self.current /\ inv'3 self.final + type t_Take'0 = + { t_Take__iter'0: t_I'0; t_Take__n'0: usize } - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + type t_Item'0 - axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'4 x] . inv'4 x = invariant'1 x + use seq.Seq - type t_Option'1 = - | C_None'1 - | C_Some'1 (borrowed t_T'0) + use prelude.prelude.Int - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom inv_axiom'4 [@rewrite] : forall x : t_Option'1 [inv'6 x] . inv'6 x + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + + axiom n'0_spec : forall self : t_Take'0 . [%#stake5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'2 a_0 + | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter end - let rec as_mut'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'1))= {[@expl:as_mut 'self' type invariant] inv'4 self} - any - [ return' (result:t_Option'1)-> {inv'6 result} - {[%#soption6] self.current = C_None'0 -> result = C_None'1 /\ self.final = C_None'0} - {[%#soption7] self.current = C_None'0 - \/ (exists r : borrowed t_T'0 . result = C_Some'1 r - /\ self.current = C_Some'0 (r.current) /\ self.final = C_Some'0 (r.final))} - (! return' {result}) ] - + function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 - let rec unwrap'0 (self:t_Option'1) (return' (ret:borrowed t_T'0))= {[@expl:unwrap 'self' type invariant] inv'6 self} - {[@expl:unwrap requires] [%#soption0] self <> C_None'1} - any [ return' (result:borrowed t_T'0)-> {inv'2 result} {[%#soption0] C_Some'1 result = self} (! return' {result}) ] + axiom iter'0_spec : forall self : t_Take'0 . [%#stake6] inv'0 self -> inv'1 (iter'0 self) - predicate resolve'6 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = - [%#sresolve8] self.final = self.current + use seq.Seq - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = - resolve'6 _1 + use seq.Seq - use prelude.prelude.Intrinsic + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - meta "compute_max_steps" 1000000 + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - let rec extern_spec_std_option_T_Option_T_get_or_insert_with_body'0 (self_:borrowed (t_Option'0)) (f:t_F'0) (return' (ret:borrowed t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'self_' type invariant] [%#soption0] inv'4 self_} + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + + = + [%#stake4] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) + + constant a : t_Take'0 + + constant ab : Seq.seq t_Item'0 + + constant b : t_Take'0 + + constant bc : Seq.seq t_Item'0 + + constant c : t_Take'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (a : t_Take'0) (ab : Seq.seq t_Item'0) (b : t_Take'0) (bc : Seq.seq t_Item'0) (c : t_Take'0) : () + + + goal vc_produces_trans'0 : ([%#stake1] produces'0 b bc c) + -> ([%#stake0] produces'0 a ab b) -> ([%#stake2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_refl [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (* as std::iter::Iterator> *) + let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45 + let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 53 4 53 10 + let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 + let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 + let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + type t_Item'1 + + use seq.Seq + + type t_A'0 + + type t_B'0 + + use prelude.prelude.UIntSize + + type t_Zip'0 = + { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a + /\ inv'2 b + end + + function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + + axiom itera'0_spec : forall self : t_Zip'0 . [%#szip3] inv'0 self -> inv'1 (itera'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + + + axiom produces_trans'0_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + + axiom produces_refl'1_spec : forall self : t_A'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + + axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip4] inv'0 self -> inv'2 (iterb'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + + + axiom produces_trans'1_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter6] produces'2 a ab b) + -> ([%#siter7] produces'2 b bc c) -> ([%#siter8] produces'2 a (Seq.(++) ab bc) c) + + function produces_refl'2 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + + axiom produces_refl'2_spec : forall self : t_B'0 . [%#siter5] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + + = + [%#szip2] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 + /\ Seq.length p2 = Seq.length visited + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) + /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + + constant self : t_Zip'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (self : t_Zip'0) : () + + goal vc_produces_refl'0 : [%#szip0] produces'0 self (Seq.empty : Seq.seq (t_Item'0, t_Item'1)) self +end +module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_trans [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (* as std::iter::Iterator> *) + let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32 + let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32 + let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42 + let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 58 4 58 10 + let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 + let%span szip5 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 + let%span szip6 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_A'0 + + type t_B'0 + + use prelude.prelude.UIntSize + + type t_Zip'0 = + { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + + type t_Item'0 + + type t_Item'1 + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a + /\ inv'2 b + end + + function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + + axiom itera'0_spec : forall self : t_Zip'0 . [%#szip5] inv'0 self -> inv'1 (itera'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + + + axiom produces_trans'1_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + + axiom produces_refl'0_spec : forall self : t_A'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + + axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip6] inv'0 self -> inv'2 (iterb'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + + + function produces_trans'2 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + + + axiom produces_trans'2_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter8] produces'2 a ab b) + -> ([%#siter9] produces'2 b bc c) -> ([%#siter10] produces'2 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + + axiom produces_refl'1_spec : forall self : t_B'0 . [%#siter7] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + + = + [%#szip4] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 + /\ Seq.length p2 = Seq.length visited + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) + /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + + use seq.Seq + + constant a : t_Zip'0 + + constant ab : Seq.seq (t_Item'0, t_Item'1) + + constant b : t_Zip'0 + + constant bc : Seq.seq (t_Item'0, t_Item'1) + + constant c : t_Zip'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (a : t_Zip'0) (ab : Seq.seq (t_Item'0, t_Item'1)) (b : t_Zip'0) (bc : Seq.seq (t_Item'0, t_Item'1)) (c : t_Zip'0) : () + + + goal vc_produces_trans'0 : ([%#szip1] produces'0 b bc c) + -> ([%#szip0] produces'0 a ab b) -> ([%#szip2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_refl [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (* <&mut I as std::iter::Iterator> *) + let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 222 14 222 45 + let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 220 4 220 10 + let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 + let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_I'0 + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter4] produces'1 a ab b) + -> ([%#siter5] produces'1 b bc c) -> ([%#siter6] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter3] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + + = + [%#siter2] produces'1 self.current visited o.current /\ self.final = o.final + + constant self : borrowed t_I'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (self : borrowed t_I'0) : () + + goal vc_produces_refl'0 : [%#siter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_trans [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (* <&mut I as std::iter::Iterator> *) + let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 227 15 227 32 + let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 228 15 228 32 + let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 229 14 229 42 + let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 225 4 225 10 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use prelude.prelude.Borrow + + type t_I'0 + + type t_Item'0 + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + + = + [%#siter4] produces'1 self.current visited o.current /\ self.final = o.final + + constant a : borrowed t_I'0 + + constant ab : Seq.seq t_Item'0 + + constant b : borrowed t_I'0 + + constant bc : Seq.seq t_Item'0 + + constant c : borrowed t_I'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (a : borrowed t_I'0) (ab : Seq.seq t_Item'0) (b : borrowed t_I'0) (bc : Seq.seq t_Item'0) (c : borrowed t_I'0) : () + + + goal vc_produces_trans'0 : ([%#siter1] produces'0 b bc c) + -> ([%#siter0] produces'0 a ab b) -> ([%#siter2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_unwrap_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 103 16 105 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 103 43 103 44 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 103 52 103 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 99 26 102 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'1 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_T'0)-> {inv'2 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_unwrap_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- t ] s4 + | s4 = bb8 ] + + | bb8 = bb9 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb9 + | bb9 = bb10 + | bb10 = bb11 + | bb11 = return' {_0} ] + ) + [ & _0 : t_T'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & _7 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body result type invariant] [%#soption2] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> postcondition_once'0 f () result + | C_Some'0 t -> result = t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_body [#"../../../creusot-contracts/src/std/option.rs" 131 16 133 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 131 35 131 36 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 123 27 126 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 131 44 131 53 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 127 26 130 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'1 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + type t_Option'0 = + | C_None'1 + | C_Some'1 t_U'0 + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'5 a_0 + end + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_map_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_map_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_9 <- (t) ] s2 + | s2 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_7 <- _ret' ] s3) + | s3 = bb7 ] + + | bb7 = bb8 + | bb8 = s0 [ s0 = [ &_0 <- C_Some'1 _7 ] s1 | s1 = bb9 ] + | bb9 = bb10 + | bb10 = bb11 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb11 ] + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'1 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _7 : t_U'0 = any_l () + | & _9 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_map_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'1 + | C_Some'0 t -> exists r : t_U'0 . result = C_Some'1 r /\ postcondition_once'0 f (t) r + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_inspect_body [#"../../../creusot-contracts/src/std/option.rs" 149 16 151 33] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 149 36 149 37 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 140 27 143 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 149 45 149 54 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 145 26 148 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant6] inv'4 self + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : ()) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:()))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'2 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any [ return' (result:())-> {inv'3 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_inspect_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = any [ br0 -> {self_ = C_None'0 } (! bb5) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb6) ] + | bb6 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_12 <- t ] s2 + | s2 = [ &_10 <- (_12) ] s3 + | s3 = call_once'0 {f} {_10} (fun (_ret':()) -> [ &_8 <- _ret' ] s4) + | s4 = bb8 ] + + | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] + | bb9 = bb10 + | bb10 = bb11 + | bb5 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb7 ] + | bb7 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb11 ] + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _8 : () = any_l () + | & _10 : t_T'0 = any_l () + | & _12 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_inspect_body result type invariant] [%#soption3] inv'1 result} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #0] [%#soption0] result = self_} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #1] [%#soption4] match self_ with + | C_None'0 -> true + | C_Some'0 t -> postcondition_once'0 f (t) () + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_body [#"../../../creusot-contracts/src/std/option.rs" 166 16 168 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 166 38 166 45 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 166 50 166 51 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 158 27 161 17 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 166 59 166 60 + let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 162 26 165 17 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_U'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_U'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops6] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'0 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_or_body'0 (self_:t_Option'0) (default:t_U'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'default' type invariant] [%#soption1] inv'0 default} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'f' type invariant] [%#soption2] inv'1 f} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body requires] [%#soption3] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 default} s1 + | s1 = -{resolve'0 default}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_9 <- (t) ] s4 + | s4 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) + | s5 = bb7 ] + + | bb7 = bb8 + | bb8 = bb9 + | bb9 = bb10 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- default ] s1 | s1 = bb10 ] + | bb10 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_U'0 = any_l () + | & self_ : t_Option'0 = self_ + | & default : t_U'0 = default + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _9 : t_T'0 = any_l () ] + + [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_body result type invariant] [%#soption4] inv'0 result} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body ensures] [%#soption5] match self_ with + | C_None'0 -> result = default + | C_Some'0 t -> postcondition_once'0 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 183 16 186 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 183 46 183 53 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 183 58 183 59 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 175 27 178 17 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 183 67 183 68 + let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 179 26 182 17 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_D'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_D'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_D'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = (let (x0) = x in inv'6 x0) + + predicate precondition'1 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate postcondition_once'1 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'4 args} + {[@expl:call_once requires] [%#sops6] precondition'1 self args} + any + [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'1 self args result} (! return' {result}) ] + + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_D'0) (args : ()) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_D'0) (args : ()) (result : t_U'0) + + + let rec call_once'1 (self:t_D'0) (args:()) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops6] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'6 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_or_else_body'0 (self_:t_Option'0) (default:t_D'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'default' type invariant] [%#soption1] inv'0 default} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'f' type invariant] [%#soption2] inv'1 f} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body requires] [%#soption3] match self_ with + | C_None'0 -> precondition'0 default () + | C_Some'0 t -> precondition'1 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 default} s1 + | s1 = -{resolve'0 default}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_11 <- (t) ] s4 + | s4 = call_once'0 {f} {_11} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) + | s5 = bb8 ] + + | bb8 = bb9 + | bb9 = bb10 + | bb10 = bb11 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = call_once'1 {default} {_8} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = bb14 + | bb14 = return' {_0} ] + ) + [ & _0 : t_U'0 = any_l () + | & self_ : t_Option'0 = self_ + | & default : t_D'0 = default + | & f : t_F'0 = f + | & _8 : () = any_l () + | & t : t_T'0 = any_l () + | & _11 : t_T'0 = any_l () ] + + [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body result type invariant] [%#soption4] inv'3 result} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body ensures] [%#soption5] match self_ with + | C_None'0 -> postcondition_once'0 default () result + | C_Some'0 t -> postcondition_once'1 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_ok_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 204 16 206 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 204 42 204 45 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 204 53 204 65 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 200 26 203 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_E'0 + + type t_Result'0 = + | C_Ok'0 t_T'0 + | C_Err'0 t_E'0 + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_E'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_E'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_E'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_E'0)-> {inv'4 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'5 a_0 + end + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Result'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Result'0 [inv'2 x] . inv'2 x + = match x with + | C_Ok'0 a_0 -> inv'5 a_0 + | C_Err'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_ok_or_else_body'0 (self_:t_Option'0) (err:t_F'0) (return' (ret:t_Result'0))= {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'err' type invariant] [%#soption1] inv'0 err} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 err ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 err} s1 + | s1 = -{resolve'0 err}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- C_Ok'0 t ] s4 + | s4 = bb9 ] + + | bb9 = bb10 + | bb10 = bb11 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {err} {_8} (fun (_ret':t_E'0) -> [ &_6 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = s0 [ s0 = [ &_0 <- C_Err'0 _6 ] s1 | s1 = bb8 ] + | bb8 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Result'0 = any_l () + | & self_ : t_Option'0 = self_ + | & err : t_F'0 = err + | & _6 : t_E'0 = any_l () + | & _8 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_Result'0)-> {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body result type invariant] [%#soption2] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> exists r : t_E'0 . result = C_Err'0 r /\ postcondition_once'0 err () r + | C_Some'0 t -> result = C_Ok'0 t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_and_then_body [#"../../../creusot-contracts/src/std/option.rs" 234 16 236 45] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 234 40 234 41 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 226 27 229 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 234 49 234 58 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 230 26 233 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'1 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + type t_Option'0 = + | C_None'1 + | C_Some'1 t_U'0 + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'5 a_0 + end + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_Option'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_Option'0)-> {inv'2 result} + {[%#sops5] postcondition_once'0 self args result} + (! return' {result}) ] + + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_and_then_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_8 <- (t) ] s2 + | s2 = call_once'0 {f} {_8} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s3) + | s3 = bb7 ] + + | bb7 = bb8 + | bb8 = bb9 + | bb9 = bb10 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb10 ] + | bb10 = bb11 + | bb11 = bb12 + | bb12 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'1 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _8 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_and_then_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'1 + | C_Some'0 t -> postcondition_once'0 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_filter_body [#"../../../creusot-contracts/src/std/option.rs" 254 16 256 41] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 254 35 254 44 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 243 27 246 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 254 52 254 61 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 247 26 253 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_P'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + + use prelude.prelude.Borrow + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant6] inv'0 self + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : t_T'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + + axiom inv_axiom'2 [@rewrite] : forall x : bool [inv'4 x] . inv'4 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : t_T'0) (result : bool) + + + let rec call_once'0 (self:t_P'0) (args:t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:bool)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'0 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_filter_body'0 (self_:t_Option'0) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_filter_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_filter_body 'predicate' type invariant] [%#soption1] inv'1 predicate'} + {[@expl:extern_spec_std_option_T_Option_T_filter_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 predicate' (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_11 <- t ] s2 + | s2 = [ &_9 <- (_11) ] s3 + | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) + | s4 = bb7 ] + + | bb7 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] + | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] + | bb9 = bb12 + | bb10 = s0 [ s0 = {[@expl:type invariant] inv'0 t} s1 | s1 = -{resolve'0 t}- s2 | s2 = bb11 ] + | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] + | bb12 = bb13 + | bb13 = bb14 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 predicate'} s1 | s1 = -{resolve'1 predicate'}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb14 ] + | bb14 = bb15 + | bb15 = bb16 + | bb16 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & predicate' : t_P'0 = predicate' + | & t : t_T'0 = any_l () + | & _7 : bool = any_l () + | & _9 : t_T'0 = any_l () + | & _11 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_filter_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_filter_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'0 + | C_Some'0 t -> match result with + | C_None'0 -> postcondition_once'0 predicate' (t) false /\ resolve'0 t + | C_Some'0 r -> postcondition_once'0 predicate' (t) true /\ r = t + end + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 273 16 275 44] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 273 36 273 37 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 273 45 273 54 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 269 26 272 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'1 [@rewrite] : forall x : () [inv'2 x] . inv'2 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'3 a_0 + end + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_Option'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'2 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_Option'0)-> {inv'1 result} + {[%#sops4] postcondition_once'0 self args result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- C_Some'0 t ] s4 + | s4 = bb8 ] + + | bb8 = bb9 + | bb9 = bb10 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb10 + | bb10 = bb11 + | bb11 = bb12 + | bb12 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & _7 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_or_else_body result type invariant] [%#soption2] inv'1 result} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> postcondition_once'0 f () result + | C_Some'0 t -> result = C_Some'0 t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_get_or_insert_with_body [#"../../../creusot-contracts/src/std/option.rs" 311 16 313 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 311 52 311 53 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 306 27 306 63 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 311 61 311 67 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 307 26 310 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span soption6 = "../../../creusot-contracts/src/std/option.rs" 62 26 62 75 + let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 64 20 65 100 + let%span sresolve8 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sresolve9 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 + let%span sinvariant10 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant10] inv'1 self.current /\ inv'1 self.final + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + + predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve8] self.final = self.current + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'4 _1 + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'3 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_T'0)-> {inv'1 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'1 a_0 + end + + predicate resolve'7 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + + predicate resolve'5 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = + [%#sresolve9] match self with + | C_Some'0 x -> resolve'7 x + | C_None'0 -> true + end + + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Option'0) = + resolve'5 _1 + + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = + [%#sinvariant10] inv'3 self.current /\ inv'3 self.final + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + + axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'4 x] . inv'4 x = invariant'1 x + + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_T'0) + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'4 [@rewrite] : forall x : t_Option'1 [inv'6 x] . inv'6 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'2 a_0 + end + + let rec as_mut'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'1))= {[@expl:as_mut 'self' type invariant] inv'4 self} + any + [ return' (result:t_Option'1)-> {inv'6 result} + {[%#soption6] self.current = C_None'0 -> result = C_None'1 /\ self.final = C_None'0} + {[%#soption7] self.current = C_None'0 + \/ (exists r : borrowed t_T'0 . result = C_Some'1 r + /\ self.current = C_Some'0 (r.current) /\ self.final = C_Some'0 (r.final))} + (! return' {result}) ] + + + let rec unwrap'0 (self:t_Option'1) (return' (ret:borrowed t_T'0))= {[@expl:unwrap 'self' type invariant] inv'6 self} + {[@expl:unwrap requires] [%#soption0] self <> C_None'1} + any [ return' (result:borrowed t_T'0)-> {inv'2 result} {[%#soption0] C_Some'1 result = self} (! return' {result}) ] + + predicate resolve'6 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = + [%#sresolve8] self.final = self.current + + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = + resolve'6 _1 + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_get_or_insert_with_body'0 (self_:borrowed (t_Option'0)) (f:t_F'0) (return' (ret:borrowed t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'self_' type invariant] [%#soption0] inv'4 self_} {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'f' type invariant] [%#soption1] inv'0 f} {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body requires] [%#soption2] self_.current = C_None'0 -> precondition'0 f ()} @@ -6022,3455 +7932,4705 @@ module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T | s5 = -{resolve'1 t}- s6 | s6 = bb14 ] - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_12} (fun (_ret':t_T'0) -> [ &_10 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = s0 [ s0 = [ &_9 <- C_Some'0 _10 ] s1 | s1 = bb8 ] - | bb8 = bb9 - | bb9 = s0 - [ s0 = {[@expl:type invariant] match self_ with - | {current = x'0} -> inv'3 x'0 - | _ -> true - end} - s1 - | s1 = -{match self_ with - | {current = x'1} -> resolve'2 x'1 - | _ -> true - end}- - s2 - | s2 = [ &self_ <- { self_ with current = _9 } ] s3 - | s3 = bb11 ] + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_12} (fun (_ret':t_T'0) -> [ &_10 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = s0 [ s0 = [ &_9 <- C_Some'0 _10 ] s1 | s1 = bb8 ] + | bb8 = bb9 + | bb9 = s0 + [ s0 = {[@expl:type invariant] match self_ with + | {current = x'0} -> inv'3 x'0 + | _ -> true + end} + s1 + | s1 = -{match self_ with + | {current = x'1} -> resolve'2 x'1 + | _ -> true + end}- + s2 + | s2 = [ &self_ <- { self_ with current = _9 } ] s3 + | s3 = bb11 ] + + | bb11 = s0 + [ s0 = {inv'3 self_.current} + Borrow.borrow_final {self_.current} {Borrow.get_id self_} + (fun (_ret':borrowed (t_Option'0)) -> + [ &_15 <- _ret' ] + -{inv'3 _ret'.final}- + [ &self_ <- { self_ with current = _ret'.final } ] + s1) + | s1 = as_mut'0 {_15} (fun (_ret':t_Option'1) -> [ &_14 <- _ret' ] s2) + | s2 = bb12 ] + + | bb12 = s0 [ s0 = unwrap'0 {_14} (fun (_ret':borrowed t_T'0) -> [ &_13 <- _ret' ] s1) | s1 = bb13 ] + | bb13 = s0 + [ s0 = {inv'1 _13.current} + Borrow.borrow_final {_13.current} {Borrow.get_id _13} + (fun (_ret':borrowed t_T'0) -> + [ &_8 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_13 <- { _13 with current = _ret'.final } ] + s1) + | s1 = {inv'1 _8.current} + Borrow.borrow_final {_8.current} {Borrow.get_id _8} + (fun (_ret':borrowed t_T'0) -> + [ &_6 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_8 <- { _8 with current = _ret'.final } ] + s2) + | s2 = {[@expl:type invariant] inv'2 _13} s3 + | s3 = -{resolve'1 _13}- s4 + | s4 = {[@expl:type invariant] inv'2 _8} s5 + | s5 = -{resolve'1 _8}- s6 + | s6 = bb14 ] + + | bb14 = s0 + [ s0 = {inv'1 _6.current} + Borrow.borrow_final {_6.current} {Borrow.get_id _6} + (fun (_ret':borrowed t_T'0) -> + [ &_3 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_6 <- { _6 with current = _ret'.final } ] + s1) + | s1 = {inv'1 _3.current} + Borrow.borrow_final {_3.current} {Borrow.get_id _3} + (fun (_ret':borrowed t_T'0) -> + [ &_0 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_3 <- { _3 with current = _ret'.final } ] + s2) + | s2 = {[@expl:type invariant] inv'2 _6} s3 + | s3 = -{resolve'1 _6}- s4 + | s4 = {[@expl:type invariant] inv'2 _3} s5 + | s5 = -{resolve'1 _3}- s6 + | s6 = bb15 ] + + | bb15 = s0 [ s0 = {[@expl:type invariant] inv'4 self_} s1 | s1 = -{resolve'3 self_}- s2 | s2 = return' {_0} ] ] + ) + [ & _0 : borrowed t_T'0 = any_l () + | & self_ : borrowed (t_Option'0) = self_ + | & f : t_F'0 = f + | & _3 : borrowed t_T'0 = any_l () + | & _6 : borrowed t_T'0 = any_l () + | & _8 : borrowed t_T'0 = any_l () + | & _9 : t_Option'0 = any_l () + | & _10 : t_T'0 = any_l () + | & _12 : () = any_l () + | & _13 : borrowed t_T'0 = any_l () + | & _14 : t_Option'1 = any_l () + | & _15 : borrowed (t_Option'0) = any_l () + | & t : borrowed t_T'0 = any_l () ] + + [ return' (result:borrowed t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body ensures] [%#soption4] match self_.current with + | C_None'0 -> postcondition_once'0 f () result.current /\ self_.final = C_Some'0 (result.final) + | C_Some'0 _ -> self_.current = C_Some'0 (result.current) /\ self_.final = C_Some'0 (result.final) + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_take_if_body [#"../../../creusot-contracts/src/std/option.rs" 338 16 340 45] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 338 41 338 50 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 324 27 327 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 338 58 338 67 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 328 26 337 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sresolve6 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant7 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + use prelude.prelude.Borrow + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_P'0 + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant7] inv'0 self.current /\ inv'0 self.final + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'5 x] . inv'5 x = (let (x0) = x in inv'1 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : borrowed t_T'0) + + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + + axiom inv_axiom'4 [@rewrite] : forall x : bool [inv'6 x] . inv'6 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : borrowed t_T'0) (result : bool) + + + let rec call_once'0 (self:t_P'0) (args:borrowed t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'4 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:bool)-> {inv'6 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve6] self.final = self.current + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'3 _1 + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'0 a_0 + end + + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = + [%#sinvariant7] inv'2 self.current /\ inv'2 self.final + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + + axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'3 x] . inv'3 x = invariant'1 x + + let rec take'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'0))= {[@expl:take 'self' type invariant] inv'3 self} + any + [ return' (result:t_Option'0)-> {inv'2 result} + {[%#soption0] result = self.current /\ self.final = C_None'0} + (! return' {result}) ] + + + predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = + [%#sresolve6] self.final = self.current + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = + resolve'4 _1 + + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_take_if_body'0 (self_:borrowed (t_Option'0)) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'self_' type invariant] [%#soption0] inv'3 self_} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'predicate' type invariant] [%#soption1] inv'4 predicate'} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body requires] [%#soption2] match self_.current with + | C_None'0 -> true + | C_Some'0 t -> forall b : borrowed t_T'0 . inv'1 b /\ b.current = t -> precondition'0 predicate' (b) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_.current} + (fun (r0'0:t_T'0) -> + {inv'0 r0'0} + Borrow.borrow_mut {r0'0} + (fun (_ret':borrowed t_T'0) -> + [ &t <- _ret' ] + -{inv'0 _ret'.final}- + [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] + s1)) + | s1 = {inv'0 t.current} + Borrow.borrow_final {t.current} {Borrow.get_id t} + (fun (_ret':borrowed t_T'0) -> + [ &_10 <- _ret' ] + -{inv'0 _ret'.final}- + [ &t <- { t with current = _ret'.final } ] + s2) + | s2 = [ &_9 <- (_10) ] s3 + | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) + | s4 = bb7 ] + + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'1 t} s1 + | s1 = -{resolve'0 t}- s2 + | s2 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] ] - | bb11 = s0 - [ s0 = {inv'3 self_.current} + | bb8 = s0 + [ s0 = {inv'2 self_.current} Borrow.borrow_final {self_.current} {Borrow.get_id self_} (fun (_ret':borrowed (t_Option'0)) -> - [ &_15 <- _ret' ] - -{inv'3 _ret'.final}- + [ &_11 <- _ret' ] + -{inv'2 _ret'.final}- [ &self_ <- { self_ with current = _ret'.final } ] s1) - | s1 = as_mut'0 {_15} (fun (_ret':t_Option'1) -> [ &_14 <- _ret' ] s2) - | s2 = bb12 ] - - | bb12 = s0 [ s0 = unwrap'0 {_14} (fun (_ret':borrowed t_T'0) -> [ &_13 <- _ret' ] s1) | s1 = bb13 ] - | bb13 = s0 - [ s0 = {inv'1 _13.current} - Borrow.borrow_final {_13.current} {Borrow.get_id _13} - (fun (_ret':borrowed t_T'0) -> - [ &_8 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_13 <- { _13 with current = _ret'.final } ] - s1) - | s1 = {inv'1 _8.current} - Borrow.borrow_final {_8.current} {Borrow.get_id _8} - (fun (_ret':borrowed t_T'0) -> - [ &_6 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_8 <- { _8 with current = _ret'.final } ] - s2) - | s2 = {[@expl:type invariant] inv'2 _13} s3 - | s3 = -{resolve'1 _13}- s4 - | s4 = {[@expl:type invariant] inv'2 _8} s5 - | s5 = -{resolve'1 _8}- s6 - | s6 = bb14 ] + | s1 = take'0 {_11} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s2) + | s2 = bb9 ] - | bb14 = s0 - [ s0 = {inv'1 _6.current} - Borrow.borrow_final {_6.current} {Borrow.get_id _6} - (fun (_ret':borrowed t_T'0) -> - [ &_3 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_6 <- { _6 with current = _ret'.final } ] - s1) - | s1 = {inv'1 _3.current} - Borrow.borrow_final {_3.current} {Borrow.get_id _3} - (fun (_ret':borrowed t_T'0) -> - [ &_0 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_3 <- { _3 with current = _ret'.final } ] - s2) - | s2 = {[@expl:type invariant] inv'2 _6} s3 - | s3 = -{resolve'1 _6}- s4 - | s4 = {[@expl:type invariant] inv'2 _3} s5 - | s5 = -{resolve'1 _3}- s6 - | s6 = bb15 ] + | bb9 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb12 ] + | bb10 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb11 ] + | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] + | bb12 = bb13 + | bb4 = s0 + [ s0 = {[@expl:type invariant] inv'4 predicate'} s1 + | s1 = -{resolve'2 predicate'}- s2 + | s2 = {[@expl:type invariant] inv'3 self_} s3 + | s3 = -{resolve'1 self_}- s4 + | s4 = bb6 ] - | bb15 = s0 [ s0 = {[@expl:type invariant] inv'4 self_} s1 | s1 = -{resolve'3 self_}- s2 | s2 = return' {_0} ] ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb13 ] + | bb13 = bb14 + | bb14 = return' {_0} ] ) - [ & _0 : borrowed t_T'0 = any_l () + [ & _0 : t_Option'0 = any_l () | & self_ : borrowed (t_Option'0) = self_ - | & f : t_F'0 = f - | & _3 : borrowed t_T'0 = any_l () - | & _6 : borrowed t_T'0 = any_l () - | & _8 : borrowed t_T'0 = any_l () - | & _9 : t_Option'0 = any_l () - | & _10 : t_T'0 = any_l () - | & _12 : () = any_l () - | & _13 : borrowed t_T'0 = any_l () - | & _14 : t_Option'1 = any_l () - | & _15 : borrowed (t_Option'0) = any_l () - | & t : borrowed t_T'0 = any_l () ] + | & predicate' : t_P'0 = predicate' + | & t : borrowed t_T'0 = any_l () + | & _7 : bool = any_l () + | & _9 : borrowed t_T'0 = any_l () + | & _10 : borrowed t_T'0 = any_l () + | & _11 : borrowed (t_Option'0) = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_take_if_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body ensures] [%#soption4] match self_.current with + | C_None'0 -> result = C_None'0 /\ self_.final = C_None'0 + | C_Some'0 cur -> exists b : borrowed t_T'0, res : bool . inv'1 b + /\ cur = b.current + /\ postcondition_once'0 predicate' (b) res + /\ (if res then + self_.final = C_None'0 /\ result = C_Some'0 (b.final) + else + self_.final = C_Some'0 (b.final) /\ result = C_None'0 + ) + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Greater'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Less'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Less'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Greater'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption2] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : t_Option'0) : () + + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption4] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + constant z : t_Option'0 + + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : t_Option'0) (y : t_Option'0) (z : t_Option'0) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - [ return' (result:borrowed t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body ensures] [%#soption4] match self_.current with - | C_None'0 -> postcondition_once'0 f () result.current /\ self_.final = C_Some'0 (result.final) - | C_Some'0 _ -> self_.current = C_Some'0 (result.current) /\ self_.final = C_Some'0 (result.final) - end} - (! return' {result}) ] + = + [%#soption2] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : t_Option'0) (y : t_Option'0) : () + + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 476 14 476 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 474 4 474 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + + use seq.Seq + + type t_T'0 + + use seq.Seq + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + constant self : t_IntoIter'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (self : t_IntoIter'0) : () + + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 481 15 481 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 482 15 482 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 483 14 483 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 479 4 479 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + use seq.Seq + + constant a : t_IntoIter'0 + + constant ab : Seq.seq t_T'0 + + constant b : t_IntoIter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_take_if_body [#"../../../creusot-contracts/src/std/option.rs" 338 16 340 45] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 338 41 338 50 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 324 27 327 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 338 58 338 67 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 328 26 337 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sresolve6 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant7 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 +module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 529 14 529 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 527 4 527 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_Iter'0 = + { t_Iter__inner'0: t_Item'0 } + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + constant self : t_Iter'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (self : t_Iter'0) : () + + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 534 15 534 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 535 15 535 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 536 14 536 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 532 4 532 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + + use prelude.prelude.Borrow + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_Iter'0 = + { t_Iter__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + use seq.Seq + + constant a : t_Iter'0 + + constant ab : Seq.seq t_T'0 + + constant b : t_Iter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_Iter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + + + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 585 14 585 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 583 4 583 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq + + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_T'0) + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_IterMut'0 = + { t_IterMut__inner'0: t_Item'0 } + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + + = + [%#soption2] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o + \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + constant self : t_IterMut'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (self : t_IterMut'0) : () + + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self +end +module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 590 15 590 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 591 15 591 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 592 14 592 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 588 4 588 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + + use prelude.prelude.Borrow type t_T'0 type t_Option'0 = | C_None'0 - | C_Some'0 t_T'0 - - use prelude.prelude.Borrow + | C_Some'0 (borrowed t_T'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + type t_IterMut'0 = + { t_IterMut__inner'0: t_Item'0 } - type t_P'0 + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant7] inv'0 self.current /\ inv'0 self.final + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + + = + [%#soption4] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o + \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + use seq.Seq - axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'5 x] . inv'5 x = (let (x0) = x in inv'1 x0) + constant a : t_IterMut'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : borrowed t_T'0) - + constant ab : Seq.seq (borrowed t_T'0) - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + constant b : t_IterMut'0 - axiom inv_axiom'4 [@rewrite] : forall x : bool [inv'6 x] . inv'6 x = true + constant bc : Seq.seq (borrowed t_T'0) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : borrowed t_T'0) (result : bool) - + constant c : t_IterMut'0 - let rec call_once'0 (self:t_P'0) (args:borrowed t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'4 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:bool)-> {inv'6 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve6] self.final = self.current - - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'3 _1 + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__ptr__qyi17063894948818224584__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (* <*const T as std::ptr::PointerExt> *) + let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Opaque - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'0 a_0 - end + use prelude.prelude.Int - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = - [%#sinvariant7] inv'2 self.current /\ inv'2 self.final + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + constant self : opaque_ptr - axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'3 x] . inv'3 x = invariant'1 x + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool - let rec take'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'0))= {[@expl:take 'self' type invariant] inv'3 self} - any - [ return' (result:t_Option'0)-> {inv'2 result} - {[%#soption0] result = self.current /\ self.final = C_None'0} - (! return' {result}) ] - + goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) +end +module M_creusot_contracts__stdqy35z1__ptr__qyi4877913266695965320__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (* <*mut T as std::ptr::PointerExt> *) + let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 96 14 96 48 + let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 98 8 98 30 - predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = - [%#sresolve6] self.final = self.current + use prelude.prelude.Opaque - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = - resolve'4 _1 + use prelude.prelude.Int - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 90 4 90 30] (self : opaque_ptr) : int - use prelude.prelude.Intrinsic + constant self : opaque_ptr - meta "compute_max_steps" 1000000 + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (self : opaque_ptr) : bool - let rec extern_spec_std_option_T_Option_T_take_if_body'0 (self_:borrowed (t_Option'0)) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'self_' type invariant] [%#soption0] inv'3 self_} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'predicate' type invariant] [%#soption1] inv'4 predicate'} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body requires] [%#soption2] match self_.current with - | C_None'0 -> true - | C_Some'0 t -> forall b : borrowed t_T'0 . inv'1 b /\ b.current = t -> precondition'0 predicate' (b) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_.current} - (fun (r0'0:t_T'0) -> - {inv'0 r0'0} - Borrow.borrow_mut {r0'0} - (fun (_ret':borrowed t_T'0) -> - [ &t <- _ret' ] - -{inv'0 _ret'.final}- - [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] - s1)) - | s1 = {inv'0 t.current} - Borrow.borrow_final {t.current} {Borrow.get_id t} - (fun (_ret':borrowed t_T'0) -> - [ &_10 <- _ret' ] - -{inv'0 _ret'.final}- - [ &t <- { t with current = _ret'.final } ] - s2) - | s2 = [ &_9 <- (_10) ] s3 - | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) - | s4 = bb7 ] - - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'1 t} s1 - | s1 = -{resolve'0 t}- s2 - | s2 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] ] - - | bb8 = s0 - [ s0 = {inv'2 self_.current} - Borrow.borrow_final {self_.current} {Borrow.get_id self_} - (fun (_ret':borrowed (t_Option'0)) -> - [ &_11 <- _ret' ] - -{inv'2 _ret'.final}- - [ &self_ <- { self_ with current = _ret'.final } ] - s1) - | s1 = take'0 {_11} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s2) - | s2 = bb9 ] - - | bb9 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb12 ] - | bb10 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb11 ] - | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] - | bb12 = bb13 - | bb4 = s0 - [ s0 = {[@expl:type invariant] inv'4 predicate'} s1 - | s1 = -{resolve'2 predicate'}- s2 - | s2 = {[@expl:type invariant] inv'3 self_} s3 - | s3 = -{resolve'1 self_}- s4 - | s4 = bb6 ] - - | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb13 ] - | bb13 = bb14 - | bb14 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : borrowed (t_Option'0) = self_ - | & predicate' : t_P'0 = predicate' - | & t : borrowed t_T'0 = any_l () - | & _7 : bool = any_l () - | & _9 : borrowed t_T'0 = any_l () - | & _10 : borrowed t_T'0 = any_l () - | & _11 : borrowed (t_Option'0) = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_take_if_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body ensures] [%#soption4] match self_.current with - | C_None'0 -> result = C_None'0 /\ self_.final = C_None'0 - | C_Some'0 cur -> exists b : borrowed t_T'0, res : bool . inv'1 b - /\ cur = b.current - /\ postcondition_once'0 predicate' (b) res - /\ (if res then - self_.final = C_None'0 /\ result = C_Some'0 (b.final) - else - self_.final = C_Some'0 (b.final) /\ result = C_None'0 - ) - end} - (! return' {result}) ] - + goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 - - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 - - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 - - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - +module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 411 14 411 45 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 409 4 409 10 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use prelude.prelude.Borrow - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Iter'0 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Slice - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.UIntSize - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + constant v_MAX'0 : usize = (18446744073709551615 : usize) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Int - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Slice - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice8] view'2 self = Slice.id self) - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel5] view'2 self - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sindex6] Seq.get (view'2 self) ix - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Option'0) (o : t_Option'0) : bool - - = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - constant x : t_Option'0 + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - constant y : t_Option'0 + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : t_Option'0) (y : t_Option'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + = + [%#sslice2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant self : t_Iter'0 - type t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (self : t_Iter'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 416 15 416 32 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 417 15 417 32 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 418 14 418 42 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 414 4 414 10 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use prelude.prelude.Opaque - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_Iter'0 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use prelude.prelude.Borrow - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Slice - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.UIntSize - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + constant v_MAX'0 : usize = (18446744073709551615 : usize) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Int - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Slice - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice10] view'2 self = Slice.id self) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel7] view'2 self - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex8] Seq.get (view'2 self) ix - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - - = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + use seq.Seq - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Option'0) (o : t_Option'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#sord2] cmp_log'0 self o = C_Less'0 + [%#sslice4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant x : t_Option'0 + constant a : t_Iter'0 - constant y : t_Option'0 + constant ab : Seq.seq t_T'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : t_Option'0) (y : t_Option'0) : () - + constant b : t_Iter'0 - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant bc : Seq.seq t_T'0 - type t_T'0 + constant c : t_Iter'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) + -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 465 14 465 45 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 463 4 463 10 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + let%span smodel8 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sindex9 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_T'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Opaque - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_IterMut'0 = + { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.UIntSize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.UIntSize - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Slice - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Slice - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice6] Seq.length (view'1 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice7] view'1 self = Slice.id self) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice3] Seq.length (view'1 (view'0 self).final) + = Seq.length (view'1 (view'0 self).current) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + + = + [%#smodel8] view'1 self.current - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sindex9] Seq.get (view'1 self) ix - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Option'0) (o : t_Option'0) : bool + function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - = - [%#sord2] cmp_log'0 self o <> C_Less'0 - constant x : t_Option'0 + axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice4] Seq.length (to_mut_seq'0 self) + = Seq.length (view'2 self)) + && ([%#sslice5] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) + -> Seq.get (to_mut_seq'0 self) i + = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) - constant y : t_Option'0 + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : t_Option'0) (y : t_Option'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + = + [%#sslice2] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) + constant self : t_IterMut'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (self : t_IterMut'0) : () + + goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 470 15 470 32 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 471 15 471 32 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 472 14 472 42 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 468 4 468 10 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + let%span smodel10 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sindex11 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - type t_T'0 + use prelude.prelude.Opaque - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_IterMut'0 = + { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Borrow - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.UIntSize - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.Int - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Slice - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Slice - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice8] Seq.length (view'1 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice9] view'1 self = Slice.id self) - axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice5] Seq.length (view'1 (view'0 self).final) + = Seq.length (view'1 (view'0 self).current) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + + = + [%#smodel10] view'1 self.current - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex11] Seq.get (view'1 self) ix - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice6] Seq.length (to_mut_seq'0 self) + = Seq.length (view'2 self)) + && ([%#sslice7] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) + -> Seq.get (to_mut_seq'0 self) i + = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sslice4] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Option'0) (o : t_Option'0) : bool - - = - [%#sord2] cmp_log'0 self o = C_Greater'0 + constant a : t_IterMut'0 - constant x : t_Option'0 + constant ab : Seq.seq (borrowed t_T'0) - constant y : t_Option'0 + constant b : t_IterMut'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : t_Option'0) (y : t_Option'0) : () + constant bc : Seq.seq (borrowed t_T'0) + + constant c : t_IterMut'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) + goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) + -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 +module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_refl [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (* as std::iter::Iterator> *) + let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 270 14 270 45 + let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 268 4 268 10 + let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_T'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + type t_A'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_A'0 } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_IntoIter'0 = + { t_IntoIter__buf'0: t_NonNull'0; + t_IntoIter__phantom'0: (); + t_IntoIter__cap'0: usize; + t_IntoIter__alloc'0: t_ManuallyDrop'0; + t_IntoIter__ptr'0: t_NonNull'0; + t_IntoIter__end'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use seq.Seq - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + + = + [%#svec2] view'0 self = Seq.(++) visited (view'0 rhs) - axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + constant self : t_IntoIter'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (self : t_IntoIter'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_refl'0 : [%#svec0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_trans [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (* as std::iter::Iterator> *) + let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 275 15 275 32 + let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 276 15 276 32 + let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 277 14 277 42 + let%span svec3 = "../../../creusot-contracts/src/std/vec.rs" 273 4 273 10 + let%span svec4 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Opaque - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_A'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_A'0 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_IntoIter'0 = + { t_IntoIter__buf'0: t_NonNull'0; + t_IntoIter__phantom'0: (); + t_IntoIter__cap'0: usize; + t_IntoIter__alloc'0: t_ManuallyDrop'0; + t_IntoIter__ptr'0: t_NonNull'0; + t_IntoIter__end'0: opaque_ptr } - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_T'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) = - [%#soption2] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#svec4] view'0 self = Seq.(++) visited (view'0 rhs) - constant x : t_Option'0 + constant a : t_IntoIter'0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : t_Option'0) : () + constant ab : Seq.seq t_T'0 - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 + constant b : t_IntoIter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + + goal vc_produces_trans'0 : ([%#svec1] produces'0 b bc c) + -> ([%#svec0] produces'0 a ab b) -> ([%#svec2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_T'0 + use prelude.prelude.Real - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - - - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + constant y : Real.real - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : Real.real) (y : Real.real) : () - axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + goal vc_cmp_le_log'0 : [%#sord0] Real.(<=) x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Real - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + constant y : Real.real - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : Real.real) (y : Real.real) : () + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + goal vc_cmp_lt_log'0 : [%#sord0] Real.(<) x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use prelude.prelude.Real - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Real - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use prelude.prelude.Real - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 = - [%#soption4] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end - - constant x : t_Option'0 - - constant y : t_Option'0 + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant z : t_Option'0 + constant x : Real.real - constant o : t_Ordering'0 + constant y : Real.real - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : t_Option'0) (y : t_Option'0) (z : t_Option'0) (o : t_Ordering'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : Real.real) (y : Real.real) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) + goal vc_cmp_ge_log'0 : [%#sord0] Real.(>=) x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_T'0 + use prelude.prelude.Real - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : Real.real - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : Real.real) (y : Real.real) : () + - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + goal vc_cmp_gt_log'0 : [%#sord0] Real.(>) x y = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Real - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + constant x : Real.real - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : Real.real) : () - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span snum_rational4 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Real - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Real - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational4] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + constant y : Real.real - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + constant z : Real.real - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + constant o : t_Ordering'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : Real.real) (y : Real.real) (z : Real.real) (o : t_Ordering'0) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : t_Option'0 + constant x : Real.real - constant y : t_Option'0 + constant y : Real.real - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : t_Option'0) (y : t_Option'0) : () - + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : Real.real) (y : Real.real) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* as logic::ord::OrdLogic> *) +module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : Real.real - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : Real.real) (y : Real.real) : () - axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.Real - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant x : Real.real - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + constant y : Real.real - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : Real.real) (y : Real.real) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__ghost__qyi17645547594388049322__clone [#"../../../creusot-contracts/src/ghost.rs" 50 4 50 27] (* as std::clone::Clone> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 50 14 50 18 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 50 23 50 27 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 49 14 49 29 + let%span sclone3 = "../../../creusot-contracts/src/std/clone.rs" 7 0 20 1 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_T'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'4 self - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'2 x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant4] inv'3 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - - = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + let rec clone'1 (self:t_T'0) (return' (ret:t_T'0))= {[@expl:clone 'self' type invariant] inv'2 self} + any [ return' (result:t_T'0)-> {inv'3 result} {[%#sclone3] result = self} (! return' {result}) ] - constant x : t_Option'0 + use prelude.prelude.Intrinsic - constant y : t_Option'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : t_Option'0) (y : t_Option'0) : () - + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'3 a_0 + end - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = + [%#sinvariant4] inv'1 self - type t_T'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + meta "compute_max_steps" 1000000 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + let rec clone'0 (self:t_GhostBox'0) (return' (ret:t_GhostBox'0))= {[@expl:clone 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 [ s0 = clone'1 {self.t_GhostBox__0'0} (fun (_ret':t_T'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = _3 } ] s1 | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'0 = self | & _3 : t_T'0 = any_l () ] + [ return' (result:t_GhostBox'0)-> {[@expl:clone result type invariant] [%#sghost1] inv'1 result} + {[@expl:clone ensures] [%#sghost2] result = self} + (! return' {result}) ] +end +module M_creusot_contracts__ghost__qyi1862168959261460300__deref [#"../../../creusot-contracts/src/ghost.rs" 69 4 69 36] (* as std::ops::Deref> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 69 23 69 36 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 + let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) - - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use prelude.prelude.Borrow - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Intrinsic - axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'3 self - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'2 x] . inv'2 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = + [%#sinvariant3] inv'2 self - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant3] inv'3 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'1 x - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + meta "compute_max_steps" 1000000 - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + let rec deref'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:deref 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 + [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 + | s1 = [ &_4 <- _5 ] s2 + | s2 = [ &_2 <- _4 ] s3 + | s3 = [ &_0 <- _2 ] s4 + | s4 = return' {_0} ] + ] + ) + [ & _0 : t_T'0 = any_l () + | & self : t_GhostBox'0 = self + | & _2 : t_T'0 = any_l () + | & _4 : t_T'0 = any_l () + | & _5 : t_T'0 = any_l () ] - = - [%#soption2] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [ return' (result:t_T'0)-> {[@expl:deref result type invariant] [%#sghost1] inv'1 result} + {[@expl:deref ensures] [%#sghost2] self.t_GhostBox__0'0 = result} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi17214052996668775070__deref_mut [#"../../../creusot-contracts/src/ghost.rs" 85 4 85 48] (* as std::ops::DerefMut> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 85 22 85 26 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 85 31 85 48 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 84 14 84 36 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - constant x : t_Option'0 + use prelude.prelude.Borrow - constant y : t_Option'0 + type t_T'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : t_Option'0) (y : t_Option'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 476 14 476 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 474 4 474 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant4] inv'0 self.current /\ inv'0 self.final - type t_T'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'2 _1 - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'0 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant self : t_IntoIter'0 + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (self : t_IntoIter'0) : () + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'0)) = + [%#sinvariant4] inv'3 self.current /\ inv'3 self.final - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 481 15 481 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 482 15 482 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 483 14 483 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 479 4 479 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'0)) - type t_T'0 + axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'0) [inv'2 x] . inv'2 x = invariant'1 x - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'0)) = + [%#sresolve3] self.final = self.current - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'0)) = + resolve'3 _1 - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + use prelude.prelude.Intrinsic - use seq.Seq + meta "compute_max_steps" 1000000 - use seq.Seq + let rec deref_mut'0 (self:borrowed (t_GhostBox'0)) (return' (ret:borrowed t_T'0))= {[@expl:deref_mut 'self' type invariant] [%#sghost0] inv'2 self} + (! bb0 + [ bb0 = s0 + [ s0 = {inv'0 (self.current).t_GhostBox__0'0} + Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_T'0) -> + [ &_5 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] + s1) + | s1 = {inv'0 _5.current} + Borrow.borrow_final {_5.current} {Borrow.get_id _5} + (fun (_ret':borrowed t_T'0) -> + [ &_4 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_5 <- { _5 with current = _ret'.final } ] + s2) + | s2 = {inv'0 _4.current} + Borrow.borrow_final {_4.current} {Borrow.get_id _4} + (fun (_ret':borrowed t_T'0) -> + [ &_2 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_4 <- { _4 with current = _ret'.final } ] + s3) + | s3 = {inv'0 _2.current} + Borrow.borrow_final {_2.current} {Borrow.get_id _2} + (fun (_ret':borrowed t_T'0) -> + [ &_0 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_2 <- { _2 with current = _ret'.final } ] + s4) + | s4 = {[@expl:type invariant] inv'1 _5} s5 + | s5 = -{resolve'0 _5}- s6 + | s6 = {[@expl:type invariant] inv'1 _4} s7 + | s7 = -{resolve'0 _4}- s8 + | s8 = {[@expl:type invariant] inv'1 _2} s9 + | s9 = -{resolve'0 _2}- s10 + | s10 = {[@expl:type invariant] inv'2 self} s11 + | s11 = -{resolve'1 self}- s12 + | s12 = return' {_0} ] + ] + ) + [ & _0 : borrowed t_T'0 = any_l () + | & self : borrowed (t_GhostBox'0) = self + | & _2 : borrowed t_T'0 = any_l () + | & _4 : borrowed t_T'0 = any_l () + | & _5 : borrowed t_T'0 = any_l () ] + + [ return' (result:borrowed t_T'0)-> {[@expl:deref_mut result type invariant] [%#sghost1] inv'1 result} + {[@expl:deref_mut ensures] [%#sghost2] result + = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi2175792468772189056__borrow [#"../../../creusot-contracts/src/ghost.rs" 124 4 124 40] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 124 19 124 23 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 124 28 124 40 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 123 14 123 35 + let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + type t_T'0 - use seq.Seq + type t_GhostBox'1 = + { t_GhostBox__0'0: t_T'0 } - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + use prelude.prelude.Borrow - use seq.Seq + type t_GhostBox'0 = + { t_GhostBox__0'1: t_T'0 } - constant a : t_IntoIter'0 + use prelude.prelude.Intrinsic - constant ab : Seq.seq t_T'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - constant b : t_IntoIter'0 + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'6 self - constant bc : Seq.seq t_T'0 + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - constant c : t_IntoIter'0 + axiom inv_axiom'4 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 529 14 529 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 527 4 527 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + axiom inv_axiom'3 [@rewrite] : forall x : t_GhostBox'1 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'1) = + [%#sinvariant3] inv'3 self - use prelude.prelude.Borrow + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - type t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'1 [inv'0 x] . inv'0 x = invariant'0 x - use seq.Seq + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant3] inv'6 self - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'3 x - type t_Iter'0 = - { t_Iter__inner'0: t_Item'0 } + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'5 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) - - = - [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant self : t_Iter'0 + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'1 = a_0} -> inv'2 a_0 + end - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (self : t_Iter'0) : () + meta "compute_max_steps" 1000000 - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + let rec borrow'0 (self:t_GhostBox'1) (return' (ret:t_GhostBox'0))= {[@expl:borrow 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _5 } ] s1 | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'1 = self | & _5 : t_T'0 = any_l () ] + [ return' (result:t_GhostBox'0)-> {[@expl:borrow result type invariant] [%#sghost1] inv'1 result} + {[@expl:borrow ensures] [%#sghost2] result.t_GhostBox__0'1 = self.t_GhostBox__0'0} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 534 15 534 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 535 15 535 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 536 14 536 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 532 4 532 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 +module M_creusot_contracts__ghost__qyi2175792468772189056__borrow_mut [#"../../../creusot-contracts/src/ghost.rs" 138 4 138 52] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 138 27 138 31 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 138 36 138 52 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 137 14 137 39 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + type t_GhostBox'1 = + { t_GhostBox__0'0: t_T'0 } - type t_Iter'0 = - { t_Iter__inner'0: t_Item'0 } + type t_GhostBox'0 = + { t_GhostBox__0'1: borrowed t_T'0 } - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant4] inv'0 self.current /\ inv'0 self.final - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - use seq.Seq + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'2 _1 - use seq.Seq + predicate invariant'3 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'0 self - constant a : t_Iter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - constant ab : Seq.seq t_T'0 + axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'6 x] . inv'6 x = invariant'3 x - constant b : t_Iter'0 + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - constant bc : Seq.seq t_T'0 + axiom inv_axiom'4 [@rewrite] : forall x : t_GhostBox'1 [inv'5 x] . inv'5 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'6 a_0 + end - constant c : t_Iter'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'1)) = + [%#sinvariant4] inv'5 self.current /\ inv'5 self.final - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'1)) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 585 14 585 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 583 4 583 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'1) [inv'2 x] . inv'2 x = invariant'1 x - use seq.Seq + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'1)) = + [%#sresolve3] self.final = self.current - use prelude.prelude.Borrow + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'1)) = + resolve'3 _1 - type t_T'0 + use prelude.prelude.Intrinsic - use seq.Seq + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : borrowed t_T'0) = + [%#sboxed5] inv'1 self - type t_Option'0 = - | C_None'0 - | C_Some'0 (borrowed t_T'0) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - type t_IterMut'0 = - { t_IterMut__inner'0: t_Item'0 } + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'1 = a_0} -> inv'4 a_0 + end - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + let rec borrow_mut'0 (self:borrowed (t_GhostBox'1)) (return' (ret:t_GhostBox'0))= {[@expl:borrow_mut 'self' type invariant] [%#sghost0] inv'2 self} + (! bb0 + [ bb0 = s0 + [ s0 = {inv'0 (self.current).t_GhostBox__0'0} + Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_T'0) -> + [ &_5 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] + s1) + | s1 = {inv'0 _5.current} + Borrow.borrow_final {_5.current} {Borrow.get_id _5} + (fun (_ret':borrowed t_T'0) -> + [ &_4 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_5 <- { _5 with current = _ret'.final } ] + s2) + | s2 = bb1 ] + + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _4 } ] s1 | s1 = bb2 ] + | bb2 = s0 + [ s0 = {[@expl:type invariant] inv'1 _5} s1 + | s1 = -{resolve'0 _5}- s2 + | s2 = {[@expl:type invariant] inv'2 self} s3 + | s3 = -{resolve'1 self}- s4 + | s4 = return' {_0} ] + ] + ) + [ & _0 : t_GhostBox'0 = any_l () + | & self : borrowed (t_GhostBox'1) = self + | & _4 : borrowed t_T'0 = any_l () + | & _5 : borrowed t_T'0 = any_l () ] + + [ return' (result:t_GhostBox'0)-> {[@expl:borrow_mut result type invariant] [%#sghost1] inv'3 result} + {[@expl:borrow_mut ensures] [%#sghost2] result.t_GhostBox__0'1 + = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} + (! return' {result}) ] - = - [%#soption2] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o - \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - - constant self : t_IterMut'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (self : t_IterMut'0) : () - - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 590 15 590 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 591 15 591 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 592 14 592 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 588 4 588 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 - - use prelude.prelude.Borrow +module M_creusot_contracts__ghost__qyi2175792468772189056__conjure [#"../../../creusot-contracts/src/ghost.rs" 155 4 155 28] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 154 15 154 20 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 155 24 155 28 + let%span sboxed2 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 (borrowed t_T'0) - - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } - - type t_IterMut'0 = - { t_IterMut__inner'0: t_Item'0 } + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - use seq.Seq + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed2] inv'2 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o - \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'1 a_0 + end - constant a : t_IterMut'0 + meta "compute_max_steps" 1000000 - constant ab : Seq.seq (borrowed t_T'0) + let rec conjure'0 (_1:()) (return' (ret:t_GhostBox'0))= {[@expl:conjure requires] [%#sghost0] false} + (! bb0 [ bb0 = bb1 | bb1 = bb1 [ bb1 = (! bb2) [ bb2 = bb1 ] ] ] ) + [ return' (result:t_GhostBox'0)-> {[@expl:conjure result type invariant] [%#sghost1] inv'0 result} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi2175792468772189056__new [#"../../../creusot-contracts/src/ghost.rs" 181 4 181 28] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 181 24 181 28 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 + let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - constant b : t_IterMut'0 + type t_T'0 - constant bc : Seq.seq (borrowed t_T'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - constant c : t_IterMut'0 + use prelude.prelude.Intrinsic - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__ptr__qyi17063894948818224584__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (* <*const T as std::ptr::PointerExt> *) - let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed3] inv'0 self - use prelude.prelude.Opaque + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use prelude.prelude.Int + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant self : opaque_ptr + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool + meta "compute_max_steps" 1000000 - goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) + let rec new'0 (x:t_T'0) (return' (ret:t_GhostBox'0))= {[@expl:new 'x' type invariant] [%#sghost0] inv'0 x} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = x } ] s1 | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & x : t_T'0 = x ] + [ return' (result:t_GhostBox'0)-> {[@expl:new result type invariant] [%#sghost1] inv'1 result} + {[@expl:new ensures] [%#sghost2] result.t_GhostBox__0'0 = x} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__ptr__qyi4877913266695965320__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (* <*mut T as std::ptr::PointerExt> *) - let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 96 14 96 48 - let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 98 8 98 30 +module M_creusot_contracts__ghost__qyi2175792468772189056__into_inner [#"../../../creusot-contracts/src/ghost.rs" 199 4 199 32] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 199 31 199 32 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 + let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use prelude.prelude.Opaque + type t_T'0 - use prelude.prelude.Int + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 90 4 90 30] (self : opaque_ptr) : int + use prelude.prelude.Intrinsic - constant self : opaque_ptr + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (self : opaque_ptr) : bool + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed3] inv'1 self - goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) -end -module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 411 14 411 45 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 409 4 409 10 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - use prelude.prelude.Borrow + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - type t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - use seq.Seq + meta "compute_max_steps" 1000000 - use prelude.prelude.Opaque + let rec into_inner'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:into_inner 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 [ bb0 = bb1 | bb1 = s0 [ s0 = [ &_0 <- self.t_GhostBox__0'0 ] s1 | s1 = bb2 ] | bb2 = return' {_0} ] ) + [ & _0 : t_T'0 = any_l () | & self : t_GhostBox'0 = self ] + + [ return' (result:t_T'0)-> {[@expl:into_inner result type invariant] [%#sghost1] inv'1 result} + {[@expl:into_inner ensures] [%#sghost2] result = self.t_GhostBox__0'0} + (! return' {result}) ] + +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__subtract [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 195 15 195 33 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 196 14 196 36 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 197 14 197 46 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 198 14 202 5 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 180 14 184 5 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 204 8 204 33 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 154 12 154 89 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 146 19 146 71 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 163 15 163 35 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 164 14 170 5 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 171 14 171 54 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap12 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap13 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap16 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap17 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + type t_FMap'0 - type t_Iter'0 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_K'0 - use prelude.prelude.Slice + type t_V'0 - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use seq.Seq + use map.Map - use seq.Seq + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) + - use seq.Seq + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap17] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use prelude.prelude.UIntSize + use map.Map - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap14] Map.get (view'0 self) k - use prelude.prelude.UIntSize + function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + + = + [%#sfmap15] get_unsized'0 self k <> C_None'0 - use prelude.prelude.Int + function subset'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 152 4 152 44] (self : t_FMap'0) (other : t_FMap'0) : bool + + = + [%#sfmap6] forall k : t_K'0 . contains'0 self k -> get_unsized'0 other k = get_unsized'0 self k - use prelude.prelude.Slice + function disjoint'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 145 4 145 46] (self : t_FMap'0) (other : t_FMap'0) : bool + + = + [%#sfmap7] forall k : t_K'0 . not contains'0 self k \/ not contains'0 other k - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + use prelude.prelude.Int - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice8] view'2 self = Slice.id self) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel5] view'2 self + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap16] len'0 self >= 0 - use seq.Seq + function union'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 172 4 172 43] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + - use seq.Seq + axiom union'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap8] disjoint'0 self other) + -> ([%#sfmap9] forall k : t_K'0 . get_unsized'0 (union'0 self other) k + = (if contains'0 self k then + get_unsized'0 self k + else + if contains'0 other k then get_unsized'0 other k else C_None'0 + )) + && ([%#sfmap10] len'0 (union'0 self other) = len'0 self + len'0 other) - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool = - [%#sindex6] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + [%#sfmap13] view'0 self = view'0 other - use seq.Seq + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap11] ext_eq'0 self other -> self = other) + && ([%#sfmap12] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function subtract_keys'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 185 4 185 51] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - = - [%#sslice2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant self : t_Iter'0 + axiom subtract_keys'0_spec : forall self : t_FMap'0, other : t_FMap'0 . [%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k) - function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (self : t_Iter'0) : () + constant self : t_FMap'0 - goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 416 15 416 32 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 417 15 417 32 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 418 14 418 42 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 414 4 414 10 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + constant other : t_FMap'0 - use prelude.prelude.Opaque + function subtract'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + goal vc_subtract'0 : ([%#sfmap0] subset'0 other self) + -> ([%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k)) + -> (let result = subtract_keys'0 self other in ([%#sfmap1] disjoint'0 result other) + && ([%#sfmap2] ext_eq'0 (union'0 other result) self) + && ([%#sfmap3] forall k : t_K'0 . get_unsized'0 result k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k))) +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__ext_eq [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - type t_Iter'0 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_K'0 - use prelude.prelude.Borrow + type t_FMap'0 - type t_T'0 + type t_V'0 - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use prelude.prelude.Slice + use map.Map - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) + - use seq.Seq + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use seq.Seq + use map.Map - use seq.Seq + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] Map.get (view'0 self) k - use prelude.prelude.UIntSize + constant self : t_FMap'0 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + constant other : t_FMap'0 - use prelude.prelude.UIntSize + function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool + - use prelude.prelude.Int + goal vc_ext_eq'0 : ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) + -> ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) + -> (let result = view'0 self = view'0 other in ([%#sfmap0] result -> self = other) + && ([%#sfmap1] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> result)) +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__contains_ghost [#"../../../creusot-contracts/src/logic/fmap.rs" 285 4 285 49] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 285 27 285 31 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 285 33 285 36 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 284 14 284 43 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 314 22 314 26 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 314 28 314 31 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 314 40 314 50 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 306 4 313 11 + let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 36 26 36 51 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sutil11 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil12 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 + let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 452 20 452 91 + let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use prelude.prelude.Slice + use prelude.prelude.Borrow - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + type t_FMap'0 - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice10] view'2 self = Slice.id self) + type t_K'0 - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel7] view'2 self + type t_V'0 - use seq.Seq + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - use seq.Seq + use map.Map - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - = - [%#sindex8] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap14] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use seq.Seq + use map.Map - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#sslice4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - - constant a : t_Iter'0 + [%#sfmap10] Map.get (view'0 self) k - constant ab : Seq.seq t_T'0 + function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + + = + [%#sfmap8] get_unsized'0 self k <> C_None'1 - constant b : t_Iter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - constant bc : Seq.seq t_T'0 + function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'1) : t_V'0 - constant c : t_Iter'0 + axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil11] op <> C_None'1) + -> ([%#sutil12] C_Some'1 (unwrap'0 op) = op) - function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + function lookup_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 123 4 123 50] (self : t_FMap'0) (k : t_K'0) : t_V'0 + = + [%#sfmap9] unwrap'0 (get_unsized'0 self k) - goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) - -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 465 14 465 45 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 463 4 463 10 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - let%span smodel8 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sindex9 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - - use seq.Seq - - use prelude.prelude.Borrow + predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - type t_T'0 + predicate invariant'5 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_V'0) = + [%#sboxed16] inv'7 self - use seq.Seq + predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - use prelude.prelude.Opaque + axiom inv_axiom'6 [@rewrite] : forall x : t_V'0 [inv'8 x] . inv'8 x = invariant'5 x - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + predicate invariant'4 [#"../../../creusot-contracts/src/logic/fmap.rs" 451 4 451 30] (self : t_FMap'0) = + [%#sfmap15] forall k : t_K'0 . contains'0 self k -> inv'6 k /\ inv'8 (lookup_unsized'0 self k) - type t_IterMut'0 = - { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) - use seq.Seq + axiom inv_axiom'5 [@rewrite] : forall x : t_FMap'0 [inv'5 x] . inv'5 x = invariant'4 x - use prelude.prelude.UIntSize + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_FMap'0) = + [%#sinvariant13] inv'5 self - constant v_MAX'0 : usize = (18446744073709551615 : usize) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) - use prelude.prelude.UIntSize + axiom inv_axiom'0 [@rewrite] : forall x : t_FMap'0 [inv'0 x] . inv'0 x = invariant'0 x - use prelude.prelude.Int + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_K'0) = + [%#sinvariant13] inv'6 self - use prelude.prelude.Slice + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - use prelude.prelude.Slice + axiom inv_axiom'1 [@rewrite] : forall x : t_K'0 [inv'1 x] . inv'1 x = invariant'1 x - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_V'0) = + [%#sinvariant13] inv'7 self - axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice6] Seq.length (view'1 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice7] view'1 self = Slice.id self) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) - + axiom inv_axiom'4 [@rewrite] : forall x : t_V'0 [inv'4 x] . inv'4 x = invariant'3 x - axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice3] Seq.length (view'1 (view'0 self).final) - = Seq.length (view'1 (view'0 self).current) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - use seq.Seq + axiom inv_axiom'2 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end - function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + let rec get_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:t_Option'0))= {[@expl:get_ghost 'self' type invariant] [%#sfmap3] inv'0 self} + {[@expl:get_ghost 'key' type invariant] [%#sfmap4] inv'1 key} + any + [ return' (result:t_Option'0)-> {[%#sfmap5] inv'2 result} + {[%#sfmap6] if contains'0 self key then + match result with + | C_None'0 -> false + | C_Some'0 r -> lookup_unsized'0 self key = r + end + else + result = C_None'0 + } + (! return' {result}) ] - = - [%#smodel8] view'1 self.current - use seq.Seq + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Option'0) = + [%#sinvariant13] inv'2 self - use seq.Seq + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex9] Seq.get (view'1 self) ix + axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x = invariant'2 x - function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - + let rec is_some'0 (self:t_Option'0) (return' (ret:bool))= {[@expl:is_some 'self' type invariant] inv'3 self} + any [ return' (result:bool)-> {[%#soption7] result = (self <> C_None'0)} (! return' {result}) ] - axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice4] Seq.length (to_mut_seq'0 self) - = Seq.length (view'2 self)) - && ([%#sslice5] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) - -> Seq.get (to_mut_seq'0 self) i - = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) + use prelude.prelude.Intrinsic - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + let rec contains_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:bool))= {[@expl:contains_ghost 'self' type invariant] [%#sfmap0] inv'0 self} + {[@expl:contains_ghost 'key' type invariant] [%#sfmap1] inv'1 key} + (! bb0 + [ bb0 = s0 [ s0 = get_ghost'0 {self} {key} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = is_some'0 {_5} (fun (_ret':bool) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : bool = any_l () | & self : t_FMap'0 = self | & key : t_K'0 = key | & _5 : t_Option'0 = any_l () ] + [ return' (result:bool)-> {[@expl:contains_ghost ensures] [%#sfmap2] result = contains'0 self key} + (! return' {result}) ] - = - [%#sslice2] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - - constant self : t_IterMut'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (self : t_IterMut'0) : () - - goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 470 15 470 32 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 471 15 471 32 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 472 14 472 42 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 468 4 468 10 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - let%span smodel10 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sindex11 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - - use prelude.prelude.Opaque - - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } - - type t_IterMut'0 = - { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - use prelude.prelude.UIntSize + constant y : int - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int) (y : int) : () - use prelude.prelude.UIntSize + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Slice + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Slice + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + constant y : int - axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice8] Seq.length (view'1 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice9] view'1 self = Slice.id self) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int) (y : int) : () - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) - + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice5] Seq.length (view'1 (view'0 self).final) - = Seq.length (view'1 (view'0 self).current) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#smodel10] view'1 self.current + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - use seq.Seq + constant y : int - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex11] Seq.get (view'1 self) ix + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int) (y : int) : () - function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice6] Seq.length (to_mut_seq'0 self) - = Seq.length (view'2 self)) - && ([%#sslice7] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) - -> Seq.get (to_mut_seq'0 self) i - = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#sslice4] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant a : t_IterMut'0 + constant x : int - constant ab : Seq.seq (borrowed t_T'0) + constant y : int - constant b : t_IterMut'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int) (y : int) : () - constant bc : Seq.seq (borrowed t_T'0) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - constant c : t_IterMut'0 + use prelude.prelude.Int - function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) - -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) + constant x : int + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int) : () + + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_refl [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (* as std::iter::Iterator> *) - let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 270 14 270 45 - let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 268 4 268 10 - let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 +module M_creusot_contracts__logic__ord__qyi8355372356285216375__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use seq.Seq + use prelude.prelude.Int - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Opaque + constant x : int - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + constant y : int - use prelude.prelude.UIntSize + constant z : int - type t_A'0 + constant o : t_Ordering'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_A'0 } + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int) (y : int) (z : int) (o : t_Ordering'0) : () + - type t_IntoIter'0 = - { t_IntoIter__buf'0: t_NonNull'0; - t_IntoIter__phantom'0: (); - t_IntoIter__cap'0: usize; - t_IntoIter__alloc'0: t_ManuallyDrop'0; - t_IntoIter__ptr'0: t_NonNull'0; - t_IntoIter__end'0: opaque_ptr } + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#svec2] view'0 self = Seq.(++) visited (view'0 rhs) + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant self : t_IntoIter'0 + constant x : int - function produces_refl'0 [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (self : t_IntoIter'0) : () + constant y : int - goal vc_produces_refl'0 : [%#svec0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_trans [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (* as std::iter::Iterator> *) - let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 275 15 275 32 - let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 276 15 276 32 - let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 277 14 277 42 - let%span svec3 = "../../../creusot-contracts/src/std/vec.rs" 273 4 273 10 - let%span svec4 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int) (y : int) : () - use prelude.prelude.Opaque + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + use prelude.prelude.Int - use prelude.prelude.UIntSize + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_A'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_A'0 } + constant x : int - type t_IntoIter'0 = - { t_IntoIter__buf'0: t_NonNull'0; - t_IntoIter__phantom'0: (); - t_IntoIter__cap'0: usize; - t_IntoIter__alloc'0: t_ManuallyDrop'0; - t_IntoIter__ptr'0: t_NonNull'0; - t_IntoIter__end'0: opaque_ptr } + constant y : int - type t_T'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int) (y : int) : () - use seq.Seq + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#svec4] view'0 self = Seq.(++) visited (view'0 rhs) - - constant a : t_IntoIter'0 - - constant ab : Seq.seq t_T'0 - - constant b : t_IntoIter'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant bc : Seq.seq t_T'0 + constant x : int - constant c : t_IntoIter'0 + constant y : int - function produces_trans'0 [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int) (y : int) : () - goal vc_produces_trans'0 : ([%#svec1] produces'0 b bc c) - -> ([%#svec0] produces'0 a ab b) -> ([%#svec2] produces'0 a (Seq.(++) ab bc) c) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : Real.real) (y : Real.real) : () - + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint8) (y : uint8) : () - goal vc_cmp_le_log'0 : [%#sord0] Real.(<=) x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : Real.real) (y : Real.real) : () - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint8) (y : uint8) : () - goal vc_cmp_lt_log'0 : [%#sord0] Real.(<) x y = (cmp_log'0 x y = C_Less'0) + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : Real.real) (y : Real.real) : () - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint8) (y : uint8) : () - goal vc_cmp_ge_log'0 : [%#sord0] Real.(>=) x y = (cmp_log'0 x y <> C_Less'0) + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : Real.real) (y : Real.real) : () - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint8) (y : uint8) : () - goal vc_cmp_gt_log'0 : [%#sord0] Real.(>) x y = (cmp_log'0 x y = C_Greater'0) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : Real.real) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint8) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__num_rational__qyi7156484438548626841__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span snum_rational4 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational4] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - constant z : Real.real + constant z : uint8 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : Real.real) (y : Real.real) (z : Real.real) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint8) (y : uint8) (z : uint8) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : Real.real) (y : Real.real) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint8) (y : uint8) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : Real.real) (y : Real.real) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint8) (y : uint8) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : Real.real) (y : Real.real) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint8) (y : uint8) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__ghost__qyi17645547594388049322__clone [#"../../../creusot-contracts/src/ghost.rs" 50 4 50 27] (* as std::clone::Clone> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 50 14 50 18 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 50 23 50 27 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 49 14 49 29 - let%span sclone3 = "../../../creusot-contracts/src/std/clone.rs" 7 0 20 1 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - - type t_T'0 - - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } - - use prelude.prelude.Borrow - - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'4 self - - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'2 x - - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant4] inv'3 self - - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - - let rec clone'1 (self:t_T'0) (return' (ret:t_T'0))= {[@expl:clone 'self' type invariant] inv'2 self} - any [ return' (result:t_T'0)-> {inv'3 result} {[%#sclone3] result = self} (! return' {result}) ] - - use prelude.prelude.Intrinsic - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'3 a_0 - end - - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = - [%#sinvariant4] inv'1 self - - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec clone'0 (self:t_GhostBox'0) (return' (ret:t_GhostBox'0))= {[@expl:clone 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 [ s0 = clone'1 {self.t_GhostBox__0'0} (fun (_ret':t_T'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = _3 } ] s1 | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'0 = self | & _3 : t_T'0 = any_l () ] - [ return' (result:t_GhostBox'0)-> {[@expl:clone result type invariant] [%#sghost1] inv'1 result} - {[@expl:clone ensures] [%#sghost2] result = self} - (! return' {result}) ] - -end -module M_creusot_contracts__ghost__qyi1862168959261460300__deref [#"../../../creusot-contracts/src/ghost.rs" 69 4 69 36] (* as std::ops::Deref> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 69 23 69 36 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + use prelude.prelude.UInt16 - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Borrow + constant x : uint16 - use prelude.prelude.Intrinsic + constant y : uint16 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint16) (y : uint16) : () - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'3 self + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Int - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + use prelude.prelude.UInt16 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'2 x] . inv'2 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = - [%#sinvariant3] inv'2 self + constant x : uint16 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant y : uint16 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint16) (y : uint16) : () - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant3] inv'3 self + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'1 x + use prelude.prelude.UInt16 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec deref'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:deref 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 - [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 - | s1 = [ &_4 <- _5 ] s2 - | s2 = [ &_2 <- _4 ] s3 - | s3 = [ &_0 <- _2 ] s4 - | s4 = return' {_0} ] - ] - ) - [ & _0 : t_T'0 = any_l () - | & self : t_GhostBox'0 = self - | & _2 : t_T'0 = any_l () - | & _4 : t_T'0 = any_l () - | & _5 : t_T'0 = any_l () ] - - [ return' (result:t_T'0)-> {[@expl:deref result type invariant] [%#sghost1] inv'1 result} - {[@expl:deref ensures] [%#sghost2] self.t_GhostBox__0'0 = result} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi17214052996668775070__deref_mut [#"../../../creusot-contracts/src/ghost.rs" 85 4 85 48] (* as std::ops::DerefMut> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 85 22 85 26 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 85 31 85 48 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 84 14 84 36 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Borrow + constant x : uint16 - type t_T'0 + constant y : uint16 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint16) (y : uint16) : () - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant4] inv'0 self.current /\ inv'0 self.final + use prelude.prelude.Int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + use prelude.prelude.UInt16 - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'2 _1 + constant x : uint16 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'0 self + constant y : uint16 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint16) (y : uint16) : () - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt16 - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'0)) = - [%#sinvariant4] inv'3 self.current /\ inv'3 self.final + use prelude.prelude.Int - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'0)) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'0) [inv'2 x] . inv'2 x = invariant'1 x + constant x : uint16 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'0)) = - [%#sresolve3] self.final = self.current + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint16) : () - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'0)) = - resolve'3 _1 + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.UInt16 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec deref_mut'0 (self:borrowed (t_GhostBox'0)) (return' (ret:borrowed t_T'0))= {[@expl:deref_mut 'self' type invariant] [%#sghost0] inv'2 self} - (! bb0 - [ bb0 = s0 - [ s0 = {inv'0 (self.current).t_GhostBox__0'0} - Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_T'0) -> - [ &_5 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] - s1) - | s1 = {inv'0 _5.current} - Borrow.borrow_final {_5.current} {Borrow.get_id _5} - (fun (_ret':borrowed t_T'0) -> - [ &_4 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_5 <- { _5 with current = _ret'.final } ] - s2) - | s2 = {inv'0 _4.current} - Borrow.borrow_final {_4.current} {Borrow.get_id _4} - (fun (_ret':borrowed t_T'0) -> - [ &_2 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_4 <- { _4 with current = _ret'.final } ] - s3) - | s3 = {inv'0 _2.current} - Borrow.borrow_final {_2.current} {Borrow.get_id _2} - (fun (_ret':borrowed t_T'0) -> - [ &_0 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_2 <- { _2 with current = _ret'.final } ] - s4) - | s4 = {[@expl:type invariant] inv'1 _5} s5 - | s5 = -{resolve'0 _5}- s6 - | s6 = {[@expl:type invariant] inv'1 _4} s7 - | s7 = -{resolve'0 _4}- s8 - | s8 = {[@expl:type invariant] inv'1 _2} s9 - | s9 = -{resolve'0 _2}- s10 - | s10 = {[@expl:type invariant] inv'2 self} s11 - | s11 = -{resolve'1 self}- s12 - | s12 = return' {_0} ] - ] - ) - [ & _0 : borrowed t_T'0 = any_l () - | & self : borrowed (t_GhostBox'0) = self - | & _2 : borrowed t_T'0 = any_l () - | & _4 : borrowed t_T'0 = any_l () - | & _5 : borrowed t_T'0 = any_l () ] - - [ return' (result:borrowed t_T'0)-> {[@expl:deref_mut result type invariant] [%#sghost1] inv'1 result} - {[@expl:deref_mut ensures] [%#sghost2] result - = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} - (! return' {result}) ] + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__borrow [#"../../../creusot-contracts/src/ghost.rs" 124 4 124 40] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 124 19 124 23 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 124 28 124 40 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 123 14 123 35 - let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_T'0 + constant x : uint16 - type t_GhostBox'1 = - { t_GhostBox__0'0: t_T'0 } + constant y : uint16 - use prelude.prelude.Borrow + constant z : uint16 - type t_GhostBox'0 = - { t_GhostBox__0'1: t_T'0 } + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint16) (y : uint16) (z : uint16) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.UInt16 - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'6 self + use prelude.prelude.Int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'4 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + constant x : uint16 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + constant y : uint16 - axiom inv_axiom'3 [@rewrite] : forall x : t_GhostBox'1 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint16) (y : uint16) : () - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'1) = - [%#sinvariant3] inv'3 self + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + use prelude.prelude.UInt16 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'1 [inv'0 x] . inv'0 x = invariant'0 x + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant3] inv'6 self + use prelude.prelude.Int - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'3 x + constant x : uint16 - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'5 self + constant y : uint16 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint16) (y : uint16) : () - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt16 - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'1 = a_0} -> inv'2 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec borrow'0 (self:t_GhostBox'1) (return' (ret:t_GhostBox'0))= {[@expl:borrow 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _5 } ] s1 | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'1 = self | & _5 : t_T'0 = any_l () ] - [ return' (result:t_GhostBox'0)-> {[@expl:borrow result type invariant] [%#sghost1] inv'1 result} - {[@expl:borrow ensures] [%#sghost2] result.t_GhostBox__0'1 = self.t_GhostBox__0'0} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__borrow_mut [#"../../../creusot-contracts/src/ghost.rs" 138 4 138 52] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 138 27 138 31 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 138 36 138 52 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 137 14 137 39 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Borrow + constant x : uint16 - type t_T'0 + constant y : uint16 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint16) (y : uint16) : () - type t_GhostBox'1 = - { t_GhostBox__0'0: t_T'0 } + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_GhostBox'0 = - { t_GhostBox__0'1: borrowed t_T'0 } + use prelude.prelude.Int - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant4] inv'0 self.current /\ inv'0 self.final + use prelude.prelude.UInt32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + constant x : uint32 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'2 _1 + constant y : uint32 - predicate invariant'3 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'0 self + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint32) (y : uint32) : () - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'6 x] . inv'6 x = invariant'3 x + use prelude.prelude.Int - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + use prelude.prelude.UInt32 - axiom inv_axiom'4 [@rewrite] : forall x : t_GhostBox'1 [inv'5 x] . inv'5 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'6 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'1)) = - [%#sinvariant4] inv'5 self.current /\ inv'5 self.final + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'1)) + constant x : uint32 - axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'1) [inv'2 x] . inv'2 x = invariant'1 x + constant y : uint32 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'1)) = - [%#sresolve3] self.final = self.current + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint32) (y : uint32) : () - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'1)) = - resolve'3 _1 + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.Int - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : borrowed t_T'0) = - [%#sboxed5] inv'1 self + use prelude.prelude.UInt32 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant x : uint32 - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'1 = a_0} -> inv'4 a_0 - end + constant y : uint32 - meta "compute_max_steps" 1000000 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint32) (y : uint32) : () - let rec borrow_mut'0 (self:borrowed (t_GhostBox'1)) (return' (ret:t_GhostBox'0))= {[@expl:borrow_mut 'self' type invariant] [%#sghost0] inv'2 self} - (! bb0 - [ bb0 = s0 - [ s0 = {inv'0 (self.current).t_GhostBox__0'0} - Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_T'0) -> - [ &_5 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] - s1) - | s1 = {inv'0 _5.current} - Borrow.borrow_final {_5.current} {Borrow.get_id _5} - (fun (_ret':borrowed t_T'0) -> - [ &_4 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_5 <- { _5 with current = _ret'.final } ] - s2) - | s2 = bb1 ] - - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _4 } ] s1 | s1 = bb2 ] - | bb2 = s0 - [ s0 = {[@expl:type invariant] inv'1 _5} s1 - | s1 = -{resolve'0 _5}- s2 - | s2 = {[@expl:type invariant] inv'2 self} s3 - | s3 = -{resolve'1 self}- s4 - | s4 = return' {_0} ] - ] - ) - [ & _0 : t_GhostBox'0 = any_l () - | & self : borrowed (t_GhostBox'1) = self - | & _4 : borrowed t_T'0 = any_l () - | & _5 : borrowed t_T'0 = any_l () ] - - [ return' (result:t_GhostBox'0)-> {[@expl:borrow_mut result type invariant] [%#sghost1] inv'3 result} - {[@expl:borrow_mut ensures] [%#sghost2] result.t_GhostBox__0'1 - = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} - (! return' {result}) ] - + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__ghost__qyi2175792468772189056__conjure [#"../../../creusot-contracts/src/ghost.rs" 155 4 155 28] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 154 15 154 20 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 155 24 155 28 - let%span sboxed2 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.Int + + use prelude.prelude.UInt32 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint32 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed2] inv'2 self + constant y : uint32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint32) (y : uint32) : () - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt32 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'1 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec conjure'0 (_1:()) (return' (ret:t_GhostBox'0))= {[@expl:conjure requires] [%#sghost0] false} - (! bb0 [ bb0 = bb1 | bb1 = bb1 [ bb1 = (! bb2) [ bb2 = bb1 ] ] ] ) - [ return' (result:t_GhostBox'0)-> {[@expl:conjure result type invariant] [%#sghost1] inv'0 result} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__new [#"../../../creusot-contracts/src/ghost.rs" 181 4 181 28] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 181 24 181 28 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 - let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_T'0 + constant x : uint32 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint32) : () - use prelude.prelude.Intrinsic + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.UInt32 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed3] inv'0 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant x : uint32 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + constant y : uint32 - meta "compute_max_steps" 1000000 + constant z : uint32 - let rec new'0 (x:t_T'0) (return' (ret:t_GhostBox'0))= {[@expl:new 'x' type invariant] [%#sghost0] inv'0 x} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = x } ] s1 | s1 = bb3 ] - | bb3 = bb4 - | bb4 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & x : t_T'0 = x ] - [ return' (result:t_GhostBox'0)-> {[@expl:new result type invariant] [%#sghost1] inv'1 result} - {[@expl:new ensures] [%#sghost2] result.t_GhostBox__0'0 = x} - (! return' {result}) ] + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint32) (y : uint32) (z : uint32) (o : t_Ordering'0) : () + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__ghost__qyi2175792468772189056__into_inner [#"../../../creusot-contracts/src/ghost.rs" 199 4 199 32] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 199 31 199 32 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.UInt32 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Intrinsic + use prelude.prelude.Int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed3] inv'1 self + constant x : uint32 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant y : uint32 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint32) (y : uint32) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + use prelude.prelude.UInt32 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec into_inner'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:into_inner 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 [ bb0 = bb1 | bb1 = s0 [ s0 = [ &_0 <- self.t_GhostBox__0'0 ] s1 | s1 = bb2 ] | bb2 = return' {_0} ] ) - [ & _0 : t_T'0 = any_l () | & self : t_GhostBox'0 = self ] - - [ return' (result:t_T'0)-> {[@expl:into_inner result type invariant] [%#sghost1] inv'1 result} - {[@expl:into_inner ensures] [%#sghost2] result = self.t_GhostBox__0'0} - (! return' {result}) ] - -end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__subtract [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 195 15 195 33 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 196 14 196 36 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 197 14 197 46 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 198 14 202 5 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 180 14 184 5 - let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 204 8 204 33 - let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 154 12 154 89 - let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 146 19 146 71 - let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 163 15 163 35 - let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 164 14 170 5 - let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 171 14 171 54 - let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 - let%span sfmap12 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 - let%span sfmap13 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 - let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 - let%span sfmap16 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 - let%span sfmap17 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + use prelude.prelude.Int - type t_FMap'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_K'0 + constant x : uint32 - type t_V'0 + constant y : uint32 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint32) (y : uint32) : () - use map.Map + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) - + use prelude.prelude.UInt32 - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap17] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use map.Map + use prelude.prelude.Int - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 = - [%#sfmap14] Map.get (view'0 self) k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool - - = - [%#sfmap15] get_unsized'0 self k <> C_None'0 + constant x : uint32 - function subset'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 152 4 152 44] (self : t_FMap'0) (other : t_FMap'0) : bool - - = - [%#sfmap6] forall k : t_K'0 . contains'0 self k -> get_unsized'0 other k = get_unsized'0 self k + constant y : uint32 - function disjoint'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 145 4 145 46] (self : t_FMap'0) (other : t_FMap'0) : bool + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint32) (y : uint32) : () + + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + + use prelude.prelude.Int + + use prelude.prelude.UInt64 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap7] forall k : t_K'0 . not contains'0 self k \/ not contains'0 other k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + + constant x : uint64 + + constant y : uint64 + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint64) (y : uint64) : () + + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - - axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap16] len'0 self >= 0 - - function union'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 172 4 172 43] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - + use prelude.prelude.UInt64 - axiom union'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap8] disjoint'0 self other) - -> ([%#sfmap9] forall k : t_K'0 . get_unsized'0 (union'0 self other) k - = (if contains'0 self k then - get_unsized'0 self k - else - if contains'0 other k then get_unsized'0 other k else C_None'0 - )) - && ([%#sfmap10] len'0 (union'0 self other) = len'0 self + len'0 other) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap13] view'0 self = view'0 other + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap11] ext_eq'0 self other -> self = other) - && ([%#sfmap12] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + constant x : uint64 - function subtract_keys'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 185 4 185 51] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - + constant y : uint64 - axiom subtract_keys'0_spec : forall self : t_FMap'0, other : t_FMap'0 . [%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint64) (y : uint64) : () - constant self : t_FMap'0 + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - constant other : t_FMap'0 + use prelude.prelude.Int - function subtract'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - + use prelude.prelude.UInt64 - goal vc_subtract'0 : ([%#sfmap0] subset'0 other self) - -> ([%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k)) - -> (let result = subtract_keys'0 self other in ([%#sfmap1] disjoint'0 result other) - && ([%#sfmap2] ext_eq'0 (union'0 other result) self) - && ([%#sfmap3] forall k : t_K'0 . get_unsized'0 result k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k))) -end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__ext_eq [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_K'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_FMap'0 + constant x : uint64 - type t_V'0 + constant y : uint64 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint64) (y : uint64) : () - use map.Map + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) - + use prelude.prelude.Int - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + use prelude.prelude.UInt64 - use map.Map + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap4] Map.get (view'0 self) k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant self : t_FMap'0 + constant x : uint64 - constant other : t_FMap'0 + constant y : uint64 - function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint64) (y : uint64) : () - goal vc_ext_eq'0 : ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) - -> ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) - -> (let result = view'0 self = view'0 other in ([%#sfmap0] result -> self = other) - && ([%#sfmap1] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> result)) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__contains_ghost [#"../../../creusot-contracts/src/logic/fmap.rs" 285 4 285 49] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 285 27 285 31 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 285 33 285 36 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 284 14 284 43 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 314 22 314 26 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 314 28 314 31 - let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 314 40 314 50 - let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 306 4 313 11 - let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 36 26 36 51 - let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 - let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 - let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - let%span sutil11 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 - let%span sutil12 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 - let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 452 20 452 91 - let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.UInt64 - type t_FMap'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_K'0 + use prelude.prelude.Int - type t_V'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_Option'1 = - | C_None'1 - | C_Some'1 t_V'0 + constant x : uint64 - use map.Map + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint64) : () - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap14] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + use prelude.prelude.UInt64 - use map.Map + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 - - = - [%#sfmap10] Map.get (view'0 self) k + use prelude.prelude.Int - function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap8] get_unsized'0 self k <> C_None'1 - - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'1) : t_V'0 + constant x : uint64 - axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil11] op <> C_None'1) - -> ([%#sutil12] C_Some'1 (unwrap'0 op) = op) + constant y : uint64 - function lookup_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 123 4 123 50] (self : t_FMap'0) (k : t_K'0) : t_V'0 - - = - [%#sfmap9] unwrap'0 (get_unsized'0 self k) + constant z : uint64 - predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + constant o : t_Ordering'0 - predicate invariant'5 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_V'0) = - [%#sboxed16] inv'7 self + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint64) (y : uint64) (z : uint64) (o : t_Ordering'0) : () + - predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'6 [@rewrite] : forall x : t_V'0 [inv'8 x] . inv'8 x = invariant'5 x + use prelude.prelude.UInt64 - predicate invariant'4 [#"../../../creusot-contracts/src/logic/fmap.rs" 451 4 451 30] (self : t_FMap'0) = - [%#sfmap15] forall k : t_K'0 . contains'0 self k -> inv'6 k /\ inv'8 (lookup_unsized'0 self k) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) + use prelude.prelude.Int - axiom inv_axiom'5 [@rewrite] : forall x : t_FMap'0 [inv'5 x] . inv'5 x = invariant'4 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_FMap'0) = - [%#sinvariant13] inv'5 self + constant x : uint64 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) + constant y : uint64 - axiom inv_axiom'0 [@rewrite] : forall x : t_FMap'0 [inv'0 x] . inv'0 x = invariant'0 x + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint64) (y : uint64) : () - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_K'0) = - [%#sinvariant13] inv'6 self + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) + use prelude.prelude.UInt64 - axiom inv_axiom'1 [@rewrite] : forall x : t_K'0 [inv'1 x] . inv'1 x = invariant'1 x + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + use prelude.prelude.Int - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_V'0) = - [%#sinvariant13] inv'7 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + constant x : uint64 - axiom inv_axiom'4 [@rewrite] : forall x : t_V'0 [inv'4 x] . inv'4 x = invariant'3 x + constant y : uint64 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint64) (y : uint64) : () - axiom inv_axiom'2 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - let rec get_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:t_Option'0))= {[@expl:get_ghost 'self' type invariant] [%#sfmap3] inv'0 self} - {[@expl:get_ghost 'key' type invariant] [%#sfmap4] inv'1 key} - any - [ return' (result:t_Option'0)-> {[%#sfmap5] inv'2 result} - {[%#sfmap6] if contains'0 self key then - match result with - | C_None'0 -> false - | C_Some'0 r -> lookup_unsized'0 self key = r - end - else - result = C_None'0 - } - (! return' {result}) ] - + use prelude.prelude.UInt64 - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Option'0) = - [%#sinvariant13] inv'2 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Int - axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x = invariant'2 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - let rec is_some'0 (self:t_Option'0) (return' (ret:bool))= {[@expl:is_some 'self' type invariant] inv'3 self} - any [ return' (result:bool)-> {[%#soption7] result = (self <> C_None'0)} (! return' {result}) ] + constant x : uint64 - use prelude.prelude.Intrinsic + constant y : uint64 - meta "compute_max_steps" 1000000 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint64) (y : uint64) : () - let rec contains_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:bool))= {[@expl:contains_ghost 'self' type invariant] [%#sfmap0] inv'0 self} - {[@expl:contains_ghost 'key' type invariant] [%#sfmap1] inv'1 key} - (! bb0 - [ bb0 = s0 [ s0 = get_ghost'0 {self} {key} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = is_some'0 {_5} (fun (_ret':bool) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : bool = any_l () | & self : t_FMap'0 = self | & key : t_K'0 = key | & _5 : t_Option'0 = any_l () ] - [ return' (result:bool)-> {[@expl:contains_ghost ensures] [%#sfmap2] result = contains'0 self key} - (! return' {result}) ] - + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int) (y : int) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint128) (y : uint128) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int) (y : int) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint128) (y : uint128) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int) (y : int) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint128) (y : uint128) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int) (y : int) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint128) (y : uint128) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint128) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - constant z : int + constant z : uint128 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int) (y : int) (z : int) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint128) (y : uint128) (z : uint128) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int) (y : int) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint128) (y : uint128) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int) (y : int) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint128) (y : uint128) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int) (y : int) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint128) (y : uint128) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint8) (y : uint8) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : usize) (y : usize) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint8) (y : uint8) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : usize) (y : usize) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint8) (y : uint8) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : usize) (y : usize) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint8) (y : uint8) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : usize) (y : usize) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9479,25 +12639,25 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint8) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : usize) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9506,31 +12666,31 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - constant z : uint8 + constant z : usize constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint8) (y : uint8) (z : uint8) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : usize) (y : usize) (z : usize) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9539,26 +12699,26 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint8) (y : uint8) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : usize) (y : usize) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9567,25 +12727,25 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint8) (y : uint8) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : usize) (y : usize) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9594,133 +12754,133 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint8) (y : uint8) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : usize) (y : usize) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint16) (y : uint16) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int8) (y : int8) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint16) (y : uint16) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int8) (y : int8) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint16) (y : uint16) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int8) (y : int8) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint16) (y : uint16) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int8) (y : int8) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9729,25 +12889,25 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint16) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int8) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9756,31 +12916,31 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - constant z : uint16 + constant z : int8 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint16) (y : uint16) (z : uint16) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int8) (y : int8) (z : int8) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9789,26 +12949,26 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint16) (y : uint16) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int8) (y : int8) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9817,25 +12977,25 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint16) (y : uint16) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int8) (y : int8) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9844,133 +13004,133 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint16) (y : uint16) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int8) (y : int8) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint32) (y : uint32) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int16) (y : int16) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint32) (y : uint32) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int16) (y : int16) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint32) (y : uint32) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int16) (y : int16) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint32) (y : uint32) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int16) (y : int16) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -9979,25 +13139,25 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint32) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int16) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -10006,31 +13166,31 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - constant z : uint32 + constant z : int16 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint32) (y : uint32) (z : uint32) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int16) (y : int16) (z : int16) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -10039,26 +13199,26 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint32) (y : uint32) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int16) (y : int16) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -10067,25 +13227,25 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint32) (y : uint32) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int16) (y : int16) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -10094,133 +13254,133 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint32) (y : uint32) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int16) (y : int16) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint64) (y : uint64) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int32) (y : int32) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint64) (y : uint64) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int32) (y : int32) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint64) (y : uint64) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int32) (y : int32) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint64) (y : uint64) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int32) (y : int32) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10229,25 +13389,25 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint64) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int32) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10256,31 +13416,31 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - constant z : uint64 + constant z : int32 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint64) (y : uint64) (z : uint64) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int32) (y : int32) (z : int32) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10289,26 +13449,26 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint64) (y : uint64) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int32) (y : int32) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10317,25 +13477,25 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint64) (y : uint64) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int32) (y : int32) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10344,133 +13504,133 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint64) (y : uint64) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int32) (y : int32) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint128) (y : uint128) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int64) (y : int64) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint128) (y : uint128) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int64) (y : int64) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint128) (y : uint128) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int64) (y : int64) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint128) (y : uint128) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int64) (y : int64) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10479,25 +13639,25 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint128) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int64) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10506,31 +13666,31 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - constant z : uint128 + constant z : int64 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint128) (y : uint128) (z : uint128) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int64) (y : int64) (z : int64) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10539,26 +13699,26 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint128) (y : uint128) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int64) (y : int64) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10567,25 +13727,25 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint128) (y : uint128) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int64) (y : int64) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10594,133 +13754,133 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint128) (y : uint128) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int64) (y : int64) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : usize) (y : usize) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int128) (y : int128) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : usize) (y : usize) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int128) (y : int128) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : usize) (y : usize) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int128) (y : int128) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : usize) (y : usize) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int128) (y : int128) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10729,25 +13889,25 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : usize) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int128) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10756,31 +13916,31 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - constant z : usize + constant z : int128 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : usize) (y : usize) (z : usize) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int128) (y : int128) (z : int128) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10789,26 +13949,26 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : usize) (y : usize) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int128) (y : int128) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10817,25 +13977,25 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : usize) (y : usize) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int128) (y : int128) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10844,133 +14004,133 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : usize) (y : usize) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int128) (y : int128) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int8) (y : int8) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : isize) (y : isize) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int8) (y : int8) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : isize) (y : isize) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int8) (y : int8) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : isize) (y : isize) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int8) (y : int8) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : isize) (y : isize) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -10979,25 +14139,25 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int8) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : isize) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -11006,31 +14166,31 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - constant z : int8 + constant z : isize constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int8) (y : int8) (z : int8) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : isize) (y : isize) (z : isize) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -11039,26 +14199,26 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int8) (y : int8) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : isize) (y : isize) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -11067,25 +14227,25 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int8) (y : int8) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : isize) (y : isize) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -11094,1548 +14254,1363 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int8) (y : int8) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : isize) (y : isize) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o <> C_Greater'0 - constant y : int16 + constant x : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : bool) (y : bool) : () + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o = C_Less'0 - constant y : int16 + constant x : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : bool) (y : bool) : () + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o <> C_Less'0 - constant y : int16 + constant x : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : bool) (y : bool) : () + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o = C_Greater'0 - constant y : int16 + constant x : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : bool) (y : bool) : () + + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int16) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : bool) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord4] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - constant z : int16 + constant z : bool constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int16) (y : int16) (z : int16) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : bool) (y : bool) (z : bool) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int16) (y : int16) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : bool) (y : bool) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int16) (y : int16) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : bool) (y : bool) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int16) (y : int16) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : bool) (y : bool) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* <(A, B) as logic::ord::OrdLogic> *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 276 20 276 68 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int32 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int32) (y : int32) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - use prelude.prelude.Int32 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int32 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int32) (y : int32) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int32 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + + + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int32 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int32) (y : int32) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int32 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : int32 + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant y : int32 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int32) (y : int32) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int32 + function le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_le_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'2 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 275 4 275 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ le_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ lt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) - constant x : int32 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int32) : () + constant x : (t_A'0, t_B'0) - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 + constant y : (t_A'0, t_B'0) + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi211457485035727011__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 282 20 282 67 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int32 + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 - - constant z : int32 - - constant o : t_Ordering'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int32) (y : int32) (z : int32) (o : t_Ordering'0) : () - + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int32 + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int32 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int32) (y : int32) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int32 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int32 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int32 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int32) (y : int32) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int32 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int32) (y : int32) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use prelude.prelude.Int64 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int64 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int64) (y : int64) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant x : int64 + function lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - constant y : int64 + function cmp_lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int64) (y : int64) : () + axiom cmp_lt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'2 x y = (cmp_log'1 x y = C_Less'0) - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 281 4 281 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + + = + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ lt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ lt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : int64 + constant x : (t_A'0, t_B'0) - constant y : int64 + constant y : (t_A'0, t_B'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int64) (y : int64) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 288 20 288 68 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int64 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int64 - constant y : int64 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int64) (y : int64) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int64 + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int64 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int64) : () + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - use prelude.prelude.Int64 + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - constant x : int64 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - constant y : int64 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant z : int64 + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant o : t_Ordering'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int64) (y : int64) (z : int64) (o : t_Ordering'0) : () - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int64 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int64 - constant y : int64 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int64) (y : int64) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int64 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int64) (y : int64) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int64 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : int64 + axiom cmp_ge_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'2 x y = (cmp_log'1 x y <> C_Less'0) - constant y : int64 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int64) (y : int64) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int128 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 287 4 287 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + + = + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ ge_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ gt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + constant x : (t_A'0, t_B'0) - constant y : int128 + constant y : (t_A'0, t_B'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int128) (y : int128) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 294 20 294 67 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int128 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int128 - constant y : int128 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int128) (y : int128) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - use prelude.prelude.Int128 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int128 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int128) (y : int128) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int128 + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int128 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int128 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int128) (y : int128) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int128 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int128) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int128 + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 - - constant y : int128 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant z : int128 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - constant o : t_Ordering'0 + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int128) (y : int128) (z : int128) (o : t_Ordering'0) : () - + function gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function cmp_gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int128 + axiom cmp_gt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'2 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant x : int128 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - constant y : int128 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int128) (y : int128) : () + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int128 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 293 4 293 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + + = + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ gt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ gt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : int128 + constant x : (t_A'0, t_B'0) - constant y : int128 + constant y : (t_A'0, t_B'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int128) (y : int128) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int128 + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - constant y : int128 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int128) (y : int128) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.IntSize + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : isize + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - constant y : isize + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : isize) (y : isize) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.IntSize + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : isize - constant y : isize + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : isize) (y : isize) : () + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) + -> ([%#sord14] cmp_log'2 y x = C_Less'0) - use prelude.prelude.IntSize + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) + -> ([%#sord12] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) + -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) - constant y : isize + function refl'2 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : isize) (y : isize) : () + axiom refl'2_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.IntSize + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : isize + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant y : isize + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : isize) (y : isize) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.IntSize + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : isize + constant x : (t_A'0, t_B'0) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : isize) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : (t_A'0, t_B'0)) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi1910662420989811789__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* <(A, B) as logic::ord::OrdLogic> *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.IntSize + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - constant y : isize + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant z : isize + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - constant o : t_Ordering'0 + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : isize) (y : isize) (z : isize) (o : t_Ordering'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - use prelude.prelude.IntSize + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - constant x : isize + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - constant y : isize + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : isize) (y : isize) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use prelude.prelude.IntSize + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - constant x : isize + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - constant y : isize + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : isize) (y : isize) : () + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord17] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.IntSize + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord15] cmp_log'2 x y = C_Greater'0) + -> ([%#sord16] cmp_log'2 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Less'0) + -> ([%#sord14] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function trans'2 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + axiom trans'2_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord10] cmp_log'2 x y = o) + -> ([%#sord11] cmp_log'2 y z = o) -> ([%#sord12] cmp_log'2 x z = o) - constant y : isize + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : isize) (y : isize) : () + axiom refl'1_spec : forall x : t_B'0 . [%#sord9] cmp_log'2 x x = C_Equal'0 - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord8] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - constant x : bool + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant y : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : bool) (y : bool) : () + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + [%#sord4] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o = C_Less'0 + constant x : (t_A'0, t_B'0) - constant x : bool + constant y : (t_A'0, t_B'0) - constant y : bool + constant z : (t_A'0, t_B'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : bool) (y : bool) : () + constant o : t_Ordering'0 - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) (z : (t_A'0, t_B'0)) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o <> C_Less'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - constant x : bool + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant y : bool + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : bool) (y : bool) : () + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o = C_Greater'0 + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant x : bool + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - constant y : bool + axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : bool) (y : bool) : () + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord2] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - constant x : bool + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : bool) : () + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord4] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - constant x : bool + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - constant y : bool + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - constant z : bool + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - constant o : t_Ordering'0 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : bool) (y : bool) (z : bool) (o : t_Ordering'0) : () - + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function antisym1'2 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - constant x : bool + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : bool + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : bool) (y : bool) : () + axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - constant x : bool + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - constant y : bool + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : bool) (y : bool) : () + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : bool + constant x : (t_A'0, t_B'0) - constant y : bool + constant y : (t_A'0, t_B'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : bool) (y : bool) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 276 20 276 68 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 @@ -12660,114 +15635,107 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#".. | C_Equal'0 | C_Greater'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + function antisym2'2 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + axiom antisym2'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function cmp_le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_le_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'2 x y = (cmp_log'1 x y <> C_Greater'0) + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 275 4 275 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ le_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ lt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 @@ -12782,29 +15750,28 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#".. constant y : (t_A'0, t_B'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 282 20 282 67 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 type t_A'0 @@ -12815,119 +15782,112 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#".. | C_Equal'0 | C_Greater'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function eq_cmp'2 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom eq_cmp'2_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) + -> ([%#sord14] cmp_log'2 y x = C_Less'0) - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) + -> ([%#sord12] cmp_log'2 y x = C_Greater'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) + -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + axiom refl'1_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - function cmp_lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_lt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'2 x y = (cmp_log'1 x y = C_Less'0) + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 281 4 281 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ lt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ lt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) else r @@ -12937,1495 +15897,2174 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#".. constant y : (t_A'0, t_B'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 288 20 288 68 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__logic__seq__qyi345269549310492227__concat_contains [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (* logic::seq::Seq *) + let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq1 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_A'0 + type t_T'0 - type t_B'0 + use seq.Seq - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq2] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + constant _1 : () + + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () + + goal vc_concat_contains'0 : [%#sseq0] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x +end +module M_creusot_contracts__ptr_own__qyi17842610664047605351__new [#"../../../creusot-contracts/src/ptr_own.rs" 52 4 52 56] (* ptr_own::PtrOwn *) + let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 52 15 52 16 + let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 52 24 52 56 + let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 51 14 51 64 + let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 61 20 61 23 + let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 61 36 61 68 + let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 60 14 60 67 + let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 + let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + let%span sptr_own8 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 + let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + + type t_T'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed7] inv'0 self + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + + use prelude.prelude.Opaque + + type t_PtrOwn'0 + + type t_GhostBox'0 = + { t_GhostBox__0'0: t_PtrOwn'0 } + + use prelude.prelude.Borrow + + function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + + use prelude.prelude.Int + + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = + [%#sptr10] addr_logic'0 self = 0 + + axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr9] is_null_logic'0 self = (addr_logic'0 self = 0) + + function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + + predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = + [%#sptr_own8] not is_null_logic'0 (ptr'0 self) /\ inv'2 (val'0 self) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + + axiom inv_axiom'4 [@rewrite] : forall x : t_PtrOwn'0 [inv'5 x] . inv'5 x = invariant'2 x + + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = + [%#sboxed7] inv'5 self + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'1 x + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (opaque_ptr, t_GhostBox'0)) + + axiom inv_axiom'0 [@rewrite] : forall x : (opaque_ptr, t_GhostBox'0) [inv'1 x] . inv'1 x + = (let (x0, x1) = x in inv'3 x1) + + function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = + [%#sghost6] self.t_GhostBox__0'0 + + let rec from_box'0 (val':t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:from_box 'val' type invariant] [%#sptr_own3] inv'2 val'} + any + [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[%#sptr_own4] inv'1 result} + {[%#sptr_own5] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) + /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = val'} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + meta "compute_max_steps" 1000000 + + let rec new'0 (v:t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:new 'v' type invariant] [%#sptr_own0] inv'0 v} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = s0 [ s0 = from_box'0 {v} (fun (_ret':(opaque_ptr, t_GhostBox'0)) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : (opaque_ptr, t_GhostBox'0) = any_l () | & v : t_T'0 = v ] + [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[@expl:new result type invariant] [%#sptr_own1] inv'1 result} + {[@expl:new ensures] [%#sptr_own2] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) + /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = v} + (! return' {result}) ] +end +module M_creusot_contracts__ptr_own__qyi17842610664047605351__drop [#"../../../creusot-contracts/src/ptr_own.rs" 98 4 98 57] (* ptr_own::PtrOwn *) + let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 98 32 98 35 + let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 97 15 97 31 + let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 92 34 92 37 + let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 89 15 89 31 + let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 92 63 92 69 + let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 90 14 90 35 + let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 + let%span sresolve7 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 + let%span sboxed8 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + let%span sptr_own9 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 + let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr11 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_PtrOwn'0 - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_PtrOwn'0 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + use prelude.prelude.Opaque - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + use prelude.prelude.Int - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = + [%#sptr11] addr_logic'0 self = 0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr10] is_null_logic'0 self = (addr_logic'0 self = 0) - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + type t_T'0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed8] inv'3 self - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + axiom inv_axiom'0 [@rewrite] : forall x : t_T'0 [inv'0 x] . inv'0 x = invariant'0 x - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = + [%#sptr_own9] not is_null_logic'0 (ptr'0 self) /\ inv'0 (val'0 self) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'2 x - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = + [%#sboxed8] inv'4 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom inv_axiom'2 [@rewrite] : forall x : t_PtrOwn'0 [inv'2 x] . inv'2 x = invariant'1 x - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = + [%#sghost6] self.t_GhostBox__0'0 - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + let rec to_box'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:to_box 'own' type invariant] [%#sptr_own2] inv'1 own} + {[@expl:to_box requires] [%#sptr_own3] ptr = ptr'0 (inner_logic'0 own)} + any + [ return' (result:t_T'0)-> {[%#sptr_own4] inv'0 result} + {[%#sptr_own5] result = val'0 (inner_logic'0 own)} + (! return' {result}) ] + - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = + [%#sresolve7] resolve'2 self - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) = + resolve'1 _1 - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Intrinsic - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + meta "compute_max_steps" 1000000 + + let rec drop'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:()))= {[@expl:drop 'own' type invariant] [%#sptr_own0] inv'1 own} + {[@expl:drop requires] [%#sptr_own1] ptr = ptr'0 (inner_logic'0 own)} + (! bb0 + [ bb0 = s0 [ s0 = to_box'0 {ptr} {own} (fun (_ret':t_T'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = {[@expl:type invariant] inv'0 _4} s1 | s1 = -{resolve'0 _4}- s2 | s2 = bb2 ] + | bb2 = bb3 + | bb3 = return' {_0} ] + ) [ & _0 : () = any_l () | & ptr : opaque_ptr = ptr | & own : t_GhostBox'0 = own | & _4 : t_T'0 = any_l () ] + [ return' (result:())-> (! return' {result}) ] +end +module M_creusot_contracts__resolve__qyi4855891653524509355__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (* <(T1, T2) as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 45 15 45 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 46 14 46 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 43 4 43 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 40 8 40 44 - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Borrow - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_T1'0 - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_T2'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T2'0) - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T1'0) - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : (t_T1'0, t_T2'0)) = + match _1 with + | (x0, x1) -> resolve'1 x1 /\ resolve'2 x0 + end - function ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 39 4 39 28] (self : (t_T1'0, t_T2'0)) = + [%#sresolve3] resolve'2 (let (a, _) = self in a) /\ resolve'1 (let (_, a) = self in a) - function cmp_ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + constant self : (t_T1'0, t_T2'0) - axiom cmp_ge_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'2 x y = (cmp_log'1 x y <> C_Less'0) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (self : (t_T1'0, t_T2'0)) : () - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi6740873903368268328__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (* <&mut T as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 59 15 59 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 60 14 60 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 57 4 57 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Borrow - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + type t_T'0 - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : borrowed t_T'0) = + _1.final = _1.current - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + constant self : borrowed t_T'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 287 4 287 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ ge_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ gt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (self : borrowed t_T'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi10830812895881240411__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (* as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 73 15 73 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 74 14 74 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 71 4 71 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 - constant x : (t_A'0, t_B'0) + use prelude.prelude.Borrow - constant y : (t_A'0, t_B'0) + type t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 294 20 294 67 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_T'0) = + resolve'1 _1 - type t_A'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = + [%#sresolve3] resolve'1 self - type t_B'0 + constant self : t_T'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (self : t_T'0) : () - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi12875730110607858017__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (* as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 90 15 90 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 91 14 91 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 88 4 88 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_T'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_Option'0) = + match _1 with + | C_None'0 -> true + | C_Some'0 x0 -> resolve'1 x0 + end - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = + [%#sresolve3] match self with + | C_Some'0 x -> resolve'1 x + | C_None'0 -> true + end - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + constant self : t_Option'0 - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (self : t_Option'0) : () - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__snapshot__qyi5567339964777190687__clone [#"../../../creusot-contracts/src/snapshot.rs" 59 4 59 27] (* as std::clone::Clone> *) + let%span ssnapshot0 = "../../../creusot-contracts/src/snapshot.rs" 58 14 58 29 - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + type t_T'0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.Snapshot - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Intrinsic - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use prelude.prelude.Borrow - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + meta "compute_max_steps" 1000000 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + let rec clone'0 (self:Snapshot.snap_ty t_T'0) (return' (ret:Snapshot.snap_ty t_T'0))= (! bb0 + [ bb0 = s0 [ s0 = [ &_0 <- self ] s1 | s1 = return' {_0} ] ] + ) [ & _0 : Snapshot.snap_ty t_T'0 = any_l () | & self : Snapshot.snap_ty t_T'0 = self ] + [ return' (result:Snapshot.snap_ty t_T'0)-> {[@expl:clone ensures] [%#ssnapshot0] result = self} + (! return' {result}) ] + +end +module M_creusot_contracts__util__unwrap [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] + let%span sutil0 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil1 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 + let%span sutil2 = "../../../creusot-contracts/src/util.rs" 45 11 45 16 + let%span sutil3 = "../../../creusot-contracts/src/util.rs" 46 10 46 15 + let%span sutil4 = "../../../creusot-contracts/src/util.rs" 47 10 47 11 + let%span sutil5 = "../../../creusot-contracts/src/util.rs" 58 4 61 5 - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + type t_T'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function unreachable'0 [#"../../../creusot-contracts/src/util.rs" 48 0 48 28] (_1 : ()) : t_T'0 - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + axiom unreachable'0_spec : forall _1 : () . ([%#sutil2] false) -> ([%#sutil3] false) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + constant op : t_Option'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'0) : t_T'0 - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + goal vc_unwrap'0 : ([%#sutil0] op <> C_None'0) + -> match op with + | C_Some'0 t -> [%#sutil1] C_Some'0 t = op + | C_None'0 -> ([@expl:unreachable requires] [%#sutil2] false) + /\ (([%#sutil3] false) -> ([%#sutil1] C_Some'0 (unreachable'0 ()) = op)) + end +end +module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_refl__refines [#"../../../creusot-contracts/src/std/array.rs" 73 4 73 26] (* as std::iter::Iterator> *) + let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 73 4 73 26 + let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.Slice - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_T'0 } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_MaybeUninit'0 = + { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_IndexRange'0 = + { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_IntoIter'0 = + { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use seq.Seq - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) - function cmp_gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + goal refines : [%#sarray0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_trans__refines [#"../../../creusot-contracts/src/std/array.rs" 80 4 80 90] (* as std::iter::Iterator> *) + let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 80 4 80 90 + let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 - axiom cmp_gt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'2 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Slice - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + type t_T'0 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_T'0 } - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + type t_MaybeUninit'0 = + { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.UIntSize - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_IndexRange'0 = + { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + type t_IntoIter'0 = + { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 293 4 293 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ gt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ gt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) + [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + goal refines : [%#sarray0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 78 4 78 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 78 4 78 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - constant x : (t_A'0, t_B'0) + use prelude.prelude.UInt16 - constant y : (t_A'0, t_B'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Opaque - type t_A'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_B'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Borrow - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_K'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_V'0 - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use seq.Seq - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_FMap'0 - axiom refl'1_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_Iter'0) : t_FMap'0 + - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Int - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use map.Map - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + = + [%#sfmap6] Map.get (view'1 self) k - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) - -> ([%#sord14] cmp_log'2 y x = C_Less'0) + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) - -> ([%#sord12] cmp_log'2 y x = C_Greater'0) + goal refines : [%#shash_map0] forall self : t_Iter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 85 4 85 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 85 4 85 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + use prelude.prelude.UInt16 - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) - -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function refl'2 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom refl'2_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 + use prelude.prelude.Opaque - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.UIntSize - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + type t_K'0 - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_V'0 - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + type t_FMap'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_Iter'0) : t_FMap'0 - constant x : (t_A'0, t_B'0) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : (t_A'0, t_B'0)) : () + use prelude.prelude.Int - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - type t_A'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - type t_B'0 + use seq.Seq - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + use map.Map - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + use map.Map - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + = + [%#sfmap6] Map.get (view'1 self) k - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - axiom refl'0_spec : forall x : t_A'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + goal refines : [%#shash_map0] forall a : t_Iter'0 . forall ab : Seq.seq (t_K'0, t_V'0) . forall b : t_Iter'0 . forall bc : Seq.seq (t_K'0, t_V'0) . forall c : t_Iter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 136 4 136 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 136 4 136 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.UInt16 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Opaque - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UIntSize - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord17] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_K'0 - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord15] cmp_log'2 x y = C_Greater'0) - -> ([%#sord16] cmp_log'2 y x = C_Less'0) + type t_V'0 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Less'0) - -> ([%#sord14] cmp_log'2 y x = C_Greater'0) + type t_FMap'0 - function trans'2 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 96 4 96 33] (self : t_IntoIter'0) : t_FMap'0 - axiom trans'2_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord10] cmp_log'2 x y = o) - -> ([%#sord11] cmp_log'2 y z = o) -> ([%#sord12] cmp_log'2 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - - axiom refl'1_spec : forall x : t_B'0 . [%#sord9] cmp_log'2 x x = C_Equal'0 - - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.Int - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord8] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use map.Map - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#sord4] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - - - constant x : (t_A'0, t_B'0) + [%#sfmap6] Map.get (view'1 self) k - constant y : (t_A'0, t_B'0) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - constant z : (t_A'0, t_B'0) + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - constant o : t_Ordering'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) (z : (t_A'0, t_B'0)) (o : t_Ordering'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 104 4 104 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) + use seq.Seq + + goal refines : [%#shash_map0] forall a : t_IntoIter'0 . forall ab : Seq.seq (t_K'0, t_V'0) . forall b : t_IntoIter'0 . forall bc : Seq.seq (t_K'0, t_V'0) . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 129 4 129 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 129 4 129 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_A'0 + use prelude.prelude.UInt16 - type t_B'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_K'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + type t_V'0 + + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + type t_FMap'0 - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 96 4 96 33] (self : t_IntoIter'0) : t_FMap'0 + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Int - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + use map.Map - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + + = + [%#sfmap6] Map.get (view'1 self) k - function antisym1'2 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - axiom antisym1'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 104 4 104 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + goal refines : [%#shash_map0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 187 4 187 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 187 4 187 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + use prelude.prelude.UInt16 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use prelude.prelude.Opaque - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.UIntSize - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + type t_K'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + type t_V'0 - constant x : (t_A'0, t_B'0) + use seq.Seq - constant y : (t_A'0, t_B'0) + type t_FMap'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 147 4 147 33] (self : t_IterMut'0) : t_FMap'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Int - type t_A'0 + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - type t_B'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + use map.Map - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use map.Map - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + = + [%#sfmap6] Map.get (view'1 self) k - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - - axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, borrowed t_V'0) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 155 4 155 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'1 visited i1 + = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + goal refines : [%#shash_map0] forall a : t_IterMut'0 . forall ab : Seq.seq (t_K'0, borrowed t_V'0) . forall b : t_IterMut'0 . forall bc : Seq.seq (t_K'0, borrowed t_V'0) . forall c : t_IterMut'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.UInt16 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use prelude.prelude.Opaque - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - function antisym2'2 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - axiom antisym2'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + use seq.Seq - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + type t_K'0 - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + type t_V'0 - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + use seq.Seq - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + type t_FMap'0 - axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 147 4 147 33] (self : t_IterMut'0) : t_FMap'0 + - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.Int - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use map.Map - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r + [%#sfmap6] Map.get (view'1 self) k + + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - constant x : (t_A'0, t_B'0) + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, borrowed t_V'0) - constant y : (t_A'0, t_B'0) + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 155 4 155 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'1 visited i1 + = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) + goal refines : [%#shash_map0] forall self : t_IterMut'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 75 4 75 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 75 4 75 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_A'0 + use prelude.prelude.UInt16 - type t_B'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom refl'0_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Borrow - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use set.Fset - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_Iter'0) : Fset.fset t_T'0 + - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use set.Fset - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Int - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use set.Fset - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset2] Fset.mem e self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 54 4 54 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - function eq_cmp'2 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + goal refines : [%#shash_set0] forall self : t_Iter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 82 4 82 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 82 4 82 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom eq_cmp'2_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) + use prelude.prelude.UInt16 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) - -> ([%#sord14] cmp_log'2 y x = C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Opaque - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) - -> ([%#sord12] cmp_log'2 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) - -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + use prelude.prelude.UIntSize - axiom refl'1_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + type t_T'0 - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + use set.Fset - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_Iter'0) : Fset.fset t_T'0 + - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + use set.Fset - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) = - [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + [%#sfset2] Fset.mem e self - constant x : (t_A'0, t_B'0) + use seq.Seq - constant y : (t_A'0, t_B'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 54 4 54 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__ptr_own__qyi17842610664047605351__new [#"../../../creusot-contracts/src/ptr_own.rs" 52 4 52 56] (* ptr_own::PtrOwn *) - let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 52 15 52 16 - let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 52 24 52 56 - let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 51 14 51 64 - let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 61 20 61 23 - let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 61 36 61 68 - let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 60 14 60 67 - let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 - let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sptr_own8 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 - let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - - type t_T'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal refines : [%#shash_set0] forall a : t_Iter'0 . forall ab : Seq.seq t_T'0 . forall b : t_Iter'0 . forall bc : Seq.seq t_T'0 . forall c : t_Iter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 131 4 131 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 131 4 131 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed7] inv'0 self + use prelude.prelude.UInt16 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } use prelude.prelude.Opaque - type t_PtrOwn'0 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - type t_GhostBox'0 = - { t_GhostBox__0'0: t_PtrOwn'0 } + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - use prelude.prelude.Borrow + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + use prelude.prelude.UIntSize - use prelude.prelude.Int + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = - [%#sptr10] addr_logic'0 self = 0 + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr9] is_null_logic'0 self = (addr_logic'0 self = 0) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = - [%#sptr_own8] not is_null_logic'0 (ptr'0 self) /\ inv'2 (val'0 self) + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - axiom inv_axiom'4 [@rewrite] : forall x : t_PtrOwn'0 [inv'5 x] . inv'5 x = invariant'2 x + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = - [%#sboxed7] inv'5 self + type t_T'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + use seq.Seq - axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'1 x + use set.Fset - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 95 4 95 33] (self : t_IntoIter'0) : Fset.fset t_T'0 + - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + use set.Fset - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (opaque_ptr, t_GhostBox'0)) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : (opaque_ptr, t_GhostBox'0) [inv'1 x] . inv'1 x - = (let (x0, x1) = x in inv'3 x1) + use prelude.prelude.Int - function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = - [%#sghost6] self.t_GhostBox__0'0 + use set.Fset - let rec from_box'0 (val':t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:from_box 'val' type invariant] [%#sptr_own3] inv'2 val'} - any - [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[%#sptr_own4] inv'1 result} - {[%#sptr_own5] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) - /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = val'} - (! return' {result}) ] + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + = + [%#sfset2] Fset.mem e self - use prelude.prelude.Intrinsic + use seq.Seq - meta "compute_max_steps" 1000000 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - let rec new'0 (v:t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:new 'v' type invariant] [%#sptr_own0] inv'0 v} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = s0 [ s0 = from_box'0 {v} (fun (_ret':(opaque_ptr, t_GhostBox'0)) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] - | bb3 = bb4 - | bb4 = return' {_0} ] - ) [ & _0 : (opaque_ptr, t_GhostBox'0) = any_l () | & v : t_T'0 = v ] - [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[@expl:new result type invariant] [%#sptr_own1] inv'1 result} - {[@expl:new ensures] [%#sptr_own2] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) - /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = v} - (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 103 4 103 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) -end -module M_creusot_contracts__ptr_own__qyi17842610664047605351__drop [#"../../../creusot-contracts/src/ptr_own.rs" 98 4 98 57] (* ptr_own::PtrOwn *) - let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 98 32 98 35 - let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 97 15 97 31 - let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 92 34 92 37 - let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 89 15 89 31 - let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 92 63 92 69 - let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 90 14 90 35 - let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 - let%span sresolve7 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 - let%span sboxed8 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sptr_own9 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 - let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr11 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - - type t_PtrOwn'0 - - type t_GhostBox'0 = - { t_GhostBox__0'0: t_PtrOwn'0 } + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - use prelude.prelude.Borrow + use seq.Seq - use prelude.prelude.Opaque + goal refines : [%#shash_set0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 124 4 124 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 124 4 124 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + use prelude.prelude.UInt16 - use prelude.prelude.Int + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = - [%#sptr11] addr_logic'0 self = 0 + use prelude.prelude.Opaque - axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr10] is_null_logic'0 self = (addr_logic'0 self = 0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - type t_T'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.UIntSize - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed8] inv'3 self + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom inv_axiom'0 [@rewrite] : forall x : t_T'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = - [%#sptr_own9] not is_null_logic'0 (ptr'0 self) /\ inv'0 (val'0 self) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'2 x + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = - [%#sboxed8] inv'4 self + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom inv_axiom'2 [@rewrite] : forall x : t_PtrOwn'0 [inv'2 x] . inv'2 x = invariant'1 x + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + type t_T'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + use seq.Seq - function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = - [%#sghost6] self.t_GhostBox__0'0 + use set.Fset - let rec to_box'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:to_box 'own' type invariant] [%#sptr_own2] inv'1 own} - {[@expl:to_box requires] [%#sptr_own3] ptr = ptr'0 (inner_logic'0 own)} - any - [ return' (result:t_T'0)-> {[%#sptr_own4] inv'0 result} - {[%#sptr_own5] result = val'0 (inner_logic'0 own)} - (! return' {result}) ] + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 95 4 95 33] (self : t_IntoIter'0) : Fset.fset t_T'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = - [%#sresolve7] resolve'2 self + use set.Fset - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) = - resolve'1 _1 + use seq.Seq - use prelude.prelude.Intrinsic + use prelude.prelude.Int - meta "compute_max_steps" 1000000 + use set.Fset - let rec drop'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:()))= {[@expl:drop 'own' type invariant] [%#sptr_own0] inv'1 own} - {[@expl:drop requires] [%#sptr_own1] ptr = ptr'0 (inner_logic'0 own)} - (! bb0 - [ bb0 = s0 [ s0 = to_box'0 {ptr} {own} (fun (_ret':t_T'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = {[@expl:type invariant] inv'0 _4} s1 | s1 = -{resolve'0 _4}- s2 | s2 = bb2 ] - | bb2 = bb3 - | bb3 = return' {_0} ] - ) [ & _0 : () = any_l () | & ptr : opaque_ptr = ptr | & own : t_GhostBox'0 = own | & _4 : t_T'0 = any_l () ] - [ return' (result:())-> (! return' {result}) ] + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) -end -module M_creusot_contracts__resolve__qyi4855891653524509355__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (* <(T1, T2) as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 45 15 45 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 46 14 46 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 43 4 43 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 40 8 40 44 + = + [%#sfset2] Fset.mem e self - use prelude.prelude.Borrow + use seq.Seq - type t_T1'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - type t_T2'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 103 4 103 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T2'0) + goal refines : [%#shash_set0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 209 4 209 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 209 4 209 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T1'0) + use prelude.prelude.UInt16 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : (t_T1'0, t_T2'0)) = - match _1 with - | (x0, x1) -> resolve'1 x1 /\ resolve'2 x0 - end + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 39 4 39 28] (self : (t_T1'0, t_T2'0)) = - [%#sresolve3] resolve'2 (let (a, _) = self in a) /\ resolve'1 (let (_, a) = self in a) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - constant self : (t_T1'0, t_T2'0) + use prelude.prelude.Opaque - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (self : (t_T1'0, t_T2'0)) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi6740873903368268328__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (* <&mut T as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 59 15 59 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 60 14 60 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 57 4 57 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - use prelude.prelude.Borrow + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - type t_T'0 + use prelude.prelude.UIntSize - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : borrowed t_T'0) = - _1.final = _1.current + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - constant self : borrowed t_T'0 + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (self : borrowed t_T'0) : () + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi10830812895881240411__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (* as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 73 15 73 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 74 14 74 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 71 4 71 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } use prelude.prelude.Borrow - type t_T'0 - - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + type t_S'0 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_T'0) = - resolve'1 _1 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = - [%#sresolve3] resolve'1 self + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - constant self : t_T'0 + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (self : t_T'0) : () + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi12875730110607858017__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (* as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 90 15 90 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 91 14 91 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 88 4 88 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - use prelude.prelude.Borrow + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - type t_T'0 + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + type t_T'0 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_Option'0) = - match _1 with - | C_None'0 -> true - | C_Some'0 x0 -> resolve'1 x0 - end + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = - [%#sresolve3] match self with - | C_Some'0 x -> resolve'1 x - | C_None'0 -> true - end + use set.Fset - constant self : t_Option'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 180 4 180 33] (self : t_Intersection'0) : Fset.fset t_T'0 + - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (self : t_Option'0) : () + use set.Fset - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__snapshot__qyi5567339964777190687__clone [#"../../../creusot-contracts/src/snapshot.rs" 59 4 59 27] (* as std::clone::Clone> *) - let%span ssnapshot0 = "../../../creusot-contracts/src/snapshot.rs" 58 14 58 29 + use seq.Seq - type t_T'0 + use prelude.prelude.Int - use prelude.prelude.Snapshot + use set.Fset - use prelude.prelude.Intrinsic + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset2] Fset.mem e self - use prelude.prelude.Borrow + use seq.Seq - meta "compute_max_steps" 1000000 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - let rec clone'0 (self:Snapshot.snap_ty t_T'0) (return' (ret:Snapshot.snap_ty t_T'0))= (! bb0 - [ bb0 = s0 [ s0 = [ &_0 <- self ] s1 | s1 = return' {_0} ] ] - ) [ & _0 : Snapshot.snap_ty t_T'0 = any_l () | & self : Snapshot.snap_ty t_T'0 = self ] - [ return' (result:Snapshot.snap_ty t_T'0)-> {[@expl:clone ensures] [%#ssnapshot0] result = self} - (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 188 4 188 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) + + goal refines : [%#shash_set0] forall self : t_Intersection'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__util__unwrap [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] - let%span sutil0 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 - let%span sutil1 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 - let%span sutil2 = "../../../creusot-contracts/src/util.rs" 45 11 45 16 - let%span sutil3 = "../../../creusot-contracts/src/util.rs" 46 10 46 15 - let%span sutil4 = "../../../creusot-contracts/src/util.rs" 47 10 47 11 - let%span sutil5 = "../../../creusot-contracts/src/util.rs" 58 4 61 5 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_T'0 + use prelude.prelude.UInt16 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function unreachable'0 [#"../../../creusot-contracts/src/util.rs" 48 0 48 28] (_1 : ()) : t_T'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom unreachable'0_spec : forall _1 : () . ([%#sutil2] false) -> ([%#sutil3] false) + use prelude.prelude.Opaque - constant op : t_Option'0 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'0) : t_T'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - goal vc_unwrap'0 : ([%#sutil0] op <> C_None'0) - -> match op with - | C_Some'0 t -> [%#sutil1] C_Some'0 t = op - | C_None'0 -> ([@expl:unreachable requires] [%#sutil2] false) - /\ (([%#sutil3] false) -> ([%#sutil1] C_Some'0 (unreachable'0 ()) = op)) - end -end -module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_refl__refines [#"../../../creusot-contracts/src/std/array.rs" 73 4 73 26] (* as std::iter::Iterator> *) - let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 73 4 73 26 - let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - use prelude.prelude.Slice + use prelude.prelude.UIntSize - type t_T'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_T'0 } + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - type t_MaybeUninit'0 = - { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - use prelude.prelude.UIntSize + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - type t_IndexRange'0 = - { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - type t_IntoIter'0 = - { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } + use prelude.prelude.Borrow - use seq.Seq + type t_S'0 - use seq.Seq + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - use seq.Seq + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - goal refines : [%#sarray0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self - -> produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_trans__refines [#"../../../creusot-contracts/src/std/array.rs" 80 4 80 90] (* as std::iter::Iterator> *) - let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 80 4 80 90 - let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - use prelude.prelude.Slice + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - type t_T'0 + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_T'0 } + type t_T'0 - type t_MaybeUninit'0 = - { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } + use seq.Seq - use prelude.prelude.UIntSize + use set.Fset - type t_IndexRange'0 = - { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 180 4 180 33] (self : t_Intersection'0) : Fset.fset t_T'0 + - type t_IntoIter'0 = - { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } + use set.Fset use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset2] Fset.mem e self use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 188 4 188 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = - [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - goal refines : [%#sarray0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + use seq.Seq + + goal refines : [%#shash_set0] forall a : t_Intersection'0 . forall ab : Seq.seq t_T'0 . forall b : t_Intersection'0 . forall bc : Seq.seq t_T'0 . forall c : t_Intersection'0 . produces'0 b bc c /\ produces'0 a ab b -> produces'0 b bc c /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) @@ -24067,7 +27706,7 @@ module M_creusot_contracts__stdqy35z1__vec__qyi6844585276173866460__resolve_cohe let%span sindex3 = "../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span svec5 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -24131,7 +27770,7 @@ module M_creusot_contracts__stdqy35z1__vec__qyi6844585276173866460__resolve_cohe axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'3 x - predicate invariant'2 [#"../../../creusot-contracts/src/logic/seq.rs" 622 4 622 30] (self : Seq.seq t_T'0) = + predicate invariant'2 [#"../../../creusot-contracts/src/logic/seq.rs" 632 4 632 30] (self : Seq.seq t_T'0) = [%#sseq6] forall i : int . 0 <= i /\ i < Seq.length self -> inv'3 (Seq.get self i) predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Seq.seq t_T'0) @@ -25111,10 +28750,10 @@ module M_creusot_contracts__logic__fmap__qyi4648834920430559677__clone__refines goal refines : [%#sfmap0] forall self : t_FMap'0 . inv'0 self -> inv'0 self /\ (forall result : t_FMap'0 . result = self /\ inv'1 result -> result = self /\ inv'1 result) end -module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines [#"../../../creusot-contracts/src/logic/fset.rs" 312 4 312 27] (* as std::clone::Clone> *) - let%span sfset0 = "../../../creusot-contracts/src/logic/fset.rs" 312 4 312 27 +module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines [#"../../../creusot-contracts/src/logic/fset.rs" 323 4 323 27] (* as std::clone::Clone> *) + let%span sfset0 = "../../../creusot-contracts/src/logic/fset.rs" 323 4 323 27 let%span sinvariant1 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 326 20 326 63 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 337 20 337 63 let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 use prelude.prelude.Borrow @@ -25132,7 +28771,7 @@ module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - predicate invariant'1 [#"../../../creusot-contracts/src/logic/fset.rs" 325 4 325 30] (self : Fset.fset t_T'0) = + predicate invariant'1 [#"../../../creusot-contracts/src/logic/fset.rs" 336 4 336 30] (self : Fset.fset t_T'0) = [%#sfset2] forall x : t_T'0 . contains'0 self x -> inv'2 x predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Fset.fset t_T'0) @@ -25167,10 +28806,10 @@ module M_creusot_contracts__logic__int__qyi3540547019284611154__clone__refines [ goal refines : [%#sint0] forall self : int . inv'0 self -> (forall result : int . result = self -> result = self /\ inv'1 result) end -module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [#"../../../creusot-contracts/src/logic/seq.rs" 610 4 610 27] (* as std::clone::Clone> *) - let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 610 4 610 27 +module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [#"../../../creusot-contracts/src/logic/seq.rs" 620 4 620 27] (* as std::clone::Clone> *) + let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 620 4 620 27 let%span sinvariant1 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -25194,7 +28833,7 @@ module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [ axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'2 x - predicate invariant'1 [#"../../../creusot-contracts/src/logic/seq.rs" 622 4 622 30] (self : Seq.seq t_T'0) = + predicate invariant'1 [#"../../../creusot-contracts/src/logic/seq.rs" 632 4 632 30] (self : Seq.seq t_T'0) = [%#sseq2] forall i : int . 0 <= i /\ i < Seq.length self -> inv'2 (Seq.get self i) predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Seq.seq t_T'0) diff --git a/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml b/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml index e070cf024..31c6ecd60 100644 --- a/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml +++ b/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml @@ -36,6 +36,364 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2843,26 +3201,6 @@ - - - - - - - - - - - - - - - - - - - - @@ -2883,16 +3221,6 @@ - - - - - - - - - - diff --git a/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz b/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz index 5ca92942f..3ac0f6172 100644 Binary files a/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz and b/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz differ diff --git a/creusot/tests/should_fail/bug/603.stderr b/creusot/tests/should_fail/bug/603.stderr index 89282f0f5..c3b84c8db 100644 --- a/creusot/tests/should_fail/bug/603.stderr +++ b/creusot/tests/should_fail/bug/603.stderr @@ -13,7 +13,7 @@ error[E0277]: the trait bound `VecMap: creusot_contracts::Default` is not (A, B, C, D) (A, B, C, D, E) (A, B, C, D, E, F) - and 22 others + and 23 others error: error above diff --git a/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr b/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr index 15b406d9b..129c6ceef 100644 --- a/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr +++ b/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr @@ -40,7 +40,7 @@ error[E0277]: Cannot take the model of `S` [T] creusot_contracts::GhostBox creusot_contracts::Snapshot - and 32 others + and 40 others error[E0277]: Cannot take the model of `S` --> view_unimplemented.rs:11:25 @@ -58,7 +58,7 @@ error[E0277]: Cannot take the model of `S` [T] creusot_contracts::GhostBox creusot_contracts::Snapshot - and 32 others + and 40 others error: internal error: Cannot fetch THIR body diff --git a/creusot/tests/should_succeed/cc/collections.coma b/creusot/tests/should_succeed/cc/collections.coma new file mode 100644 index 000000000..987837974 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections.coma @@ -0,0 +1,1905 @@ +module M_collections__roundtrip_hashmap_into_iter [#"collections.rs" 15 0 15 87] + let%span scollections0 = "collections.rs" 26 15 26 48 + let%span scollections1 = "collections.rs" 27 14 27 65 + let%span scollections2 = "collections.rs" 28 20 28 43 + let%span scollections3 = "collections.rs" 29 20 29 60 + let%span scollections4 = "collections.rs" 31 20 31 93 + let%span scollections5 = "collections.rs" 14 10 14 24 + let%span siter6 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter7 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map8 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 123 20 123 54 + let%span shash_map9 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap10 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_map12 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 196 20 196 24 + let%span shash_map13 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 202 20 202 33 + let%span shash_map14 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 240 20 242 73 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 128 14 128 45 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 126 4 126 10 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 133 15 133 32 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 134 15 134 32 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 135 14 135 42 + let%span shash_map20 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 137 8 137 104 + let%span sresolve21 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel22 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap23 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap24 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap31 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap32 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'1 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'1 } + + predicate inv'0 (_1 : t_HashMap'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashMap'0 [inv'0 x] . inv'0 x = true + + predicate into_iter_pre'0 (self : t_HashMap'0) = + [%#shash_map12] true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_FMap'0 + + function view'0 (self : t_HashMap'0) : t_FMap'0 + + function view'2 (self : t_IntoIter'0) : t_FMap'0 + + predicate into_iter_post'0 (self : t_HashMap'0) (res : t_IntoIter'0) = + [%#shash_map13] view'0 self = view'2 res + + let rec into_iter'0 (self:t_HashMap'0) (return' (ret:t_IntoIter'0))= {[@expl:into_iter 'self' type invariant] inv'0 self} + {[@expl:into_iter requires] [%#siter6] into_iter_pre'0 self} + any [ return' (result:t_IntoIter'0)-> {[%#siter6] into_iter_post'0 self result} (! return' {result}) ] + + predicate inv'1 (_1 : t_IntoIter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IntoIter'0 [inv'1 x] . inv'1 x = true + + use prelude.prelude.Borrow + + type t_K'0 + + type t_V'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_IntoIter'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap24] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = + [%#sseq11] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 + + use map.Map + + function view'3 (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + axiom view'3_spec : forall self : t_FMap'0 . [%#sfmap32] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'3 m1 <> view'3 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = + [%#sfmap26] Map.get (view'3 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = + [%#sfmap10] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end + + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) + + function get'1 (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 = + [%#sseq25] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) = + [%#shash_map9] len'0 (view'2 self) = Seq.length visited + len'0 (view'2 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'2 self) k = C_Some'0 v /\ get'0 (view'2 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'2 o) k = C_Some'0 v + -> get'0 (view'2 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'2 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'2 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) + + function produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_IntoIter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_IntoIter'0) : () + + = + [%#shash_map20] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq (t_K'0, t_V'0), b : t_IntoIter'0, bc : Seq.seq (t_K'0, t_V'0), c : t_IntoIter'0 . ([%#shash_map17] produces'0 a ab b) + -> ([%#shash_map18] produces'0 b bc c) -> ([%#shash_map19] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IntoIter'0) : () = + [%#shash_map16] () + + axiom produces_refl'0_spec : forall self : t_IntoIter'0 . [%#shash_map15] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + + predicate resolve'1 (self : borrowed (t_IntoIter'0)) = + [%#sresolve21] self.final = self.current + + function view'1 (self : borrowed (t_IntoIter'0)) : t_FMap'0 = + [%#smodel22] view'2 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'0 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap27] len'0 (empty'0 _1) = 0) + && ([%#sfmap28] view'3 (empty'0 _1) = Const.const (C_None'1)) + + function ext_eq'0 (self : t_FMap'0) (other : t_FMap'0) : bool = + [%#sfmap31] view'3 self = view'3 other + + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap29] ext_eq'0 self other -> self = other) + && ([%#sfmap30] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'0) : bool = + [%#sfmap23] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_IntoIter'0)) = + [%#shash_map8] resolve'1 self /\ is_empty'0 (view'1 self) + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, t_V'0)) (res : t_HashMap'0) = + [%#shash_map14] forall k : t_K'0, v : t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int . 0 <= i + /\ i < Seq.length prod + /\ Seq.get prod i = (k, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_IntoIter'0) (return' (ret:t_HashMap'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'0)-> {inv'0 result} + {[%#siter7] exists done' : borrowed (t_IntoIter'0), prod : Seq.seq (t_K'0, t_V'0) . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + function any'0 [#"collections.rs" 10 0 10 20] (_1 : ()) : Seq.seq (t_K'0, t_V'0) + + use prelude.prelude.Snapshot + + function any'1 [#"collections.rs" 10 0 10 20] (_1 : ()) : borrowed (t_IntoIter'0) + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_into_iter'0 (xs:t_HashMap'0) (return' (ret:t_HashMap'0))= (! bb0 + [ bb0 = bb1 + | bb1 = s0 [ s0 = into_iter'0 {xs} (fun (_ret':t_IntoIter'0) -> [ &it0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {it0} (fun (_ret':t_HashMap'0) -> [ &r <- _ret' ] s1) | s1 = bb3 ] + | bb3 = s0 [ s0 = [ &prod <- [%#scollections0] Snapshot.new (any'0 ()) ] s1 | s1 = bb4 ] + | bb4 = s0 [ s0 = [ &it1 <- [%#scollections1] Snapshot.new (any'1 ()) ] s1 | s1 = bb5 ] + | bb5 = s0 + [ s0 = {[@expl:assertion] [%#scollections2] completed'0 (Snapshot.inner it1)} s1 + | s1 = {[@expl:assertion] [%#scollections3] produces'0 it0 (Snapshot.inner prod) (Snapshot.inner it1).current} s2 + | s2 = bb6 ] + + | bb6 = s0 + [ s0 = {[@expl:assertion] [%#scollections4] forall k : t_K'0, v : t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> contains'0 (Snapshot.inner prod) (k, v)} + s1 + | s1 = bb7 ] + + | bb7 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb8 ] + | bb8 = bb9 + | bb9 = bb10 + | bb10 = return' {_0} ] + ) + [ & _0 : t_HashMap'0 = any_l () + | & xs : t_HashMap'0 = xs + | & it0 : t_IntoIter'0 = any_l () + | & r : t_HashMap'0 = any_l () + | & prod : Snapshot.snap_ty (Seq.seq (t_K'0, t_V'0)) = any_l () + | & it1 : Snapshot.snap_ty (borrowed (t_IntoIter'0)) = any_l () ] + + [ return' (result:t_HashMap'0)-> {[@expl:roundtrip_hashmap_into_iter ensures] [%#scollections5] view'0 result + = view'0 xs} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashmap_iter [#"collections.rs" 36 0 36 85] + let%span scollections0 = "collections.rs" 41 15 41 51 + let%span scollections1 = "collections.rs" 42 14 42 61 + let%span scollections2 = "collections.rs" 43 20 43 43 + let%span scollections3 = "collections.rs" 44 20 44 60 + let%span scollections4 = "collections.rs" 46 20 46 95 + let%span scollections5 = "collections.rs" 35 10 35 87 + let%span shash_map6 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 23 0 37 1 + let%span siter7 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map8 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 72 20 72 54 + let%span shash_map9 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap10 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel12 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span shash_map13 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 240 20 242 73 + let%span shash_map14 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 77 14 77 45 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 75 4 75 10 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 82 15 82 32 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 83 15 83 32 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 84 14 84 42 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 86 8 86 104 + let%span sresolve20 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel21 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap22 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap23 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap25 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap31 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'3 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashMap'1 = + { t_HashMap__base'1: t_HashMap'3 } + + predicate inv'0 (_1 : t_HashMap'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashMap'1 [inv'0 x] . inv'0 x = true + + type t_FMap'1 + + function view'4 (self : t_HashMap'1) : t_FMap'1 + + function view'1 (self : t_HashMap'1) : t_FMap'1 = + [%#smodel12] view'4 self + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + function view'2 (self : t_Iter'0) : t_FMap'1 + + let rec iter'0 (self:t_HashMap'1) (return' (ret:t_Iter'0))= {[@expl:iter 'self' type invariant] inv'0 self} + any [ return' (result:t_Iter'0)-> {[%#shash_map6] view'1 self = view'2 result} (! return' {result}) ] + + predicate inv'1 (_1 : t_Iter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Iter'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'2 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'2 } + + predicate inv'2 (_1 : t_HashMap'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashMap'0 [inv'2 x] . inv'2 x = true + + type t_K'0 + + type t_V'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_Iter'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'1) : int + + axiom len'0_spec : forall self : t_FMap'1 . [%#sfmap23] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = + [%#sseq11] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_Option'2 = + | C_None'0 + | C_Some'1 t_V'0 + + type t_Option'3 = + | C_None'3 + | C_Some'4 t_V'0 + + use map.Map + + function view'6 (self : t_FMap'1) : Map.map t_K'0 (t_Option'3) + + axiom view'6_spec : forall self : t_FMap'1 . [%#sfmap31] forall m1 : t_FMap'1, m2 : t_FMap'1 . m1 <> m2 + -> view'6 m1 <> view'6 m2 + + use map.Map + + function get_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_Option'3 = + [%#sfmap25] Map.get (view'6 self) k + + function get'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_Option'2 = + [%#sfmap10] match get_unsized'1 self k with + | C_None'3 -> C_None'0 + | C_Some'4 x -> C_Some'1 x + end + + type t_Option'4 = + | C_None'4 + | C_Some'2 (t_K'0, t_V'0) + + function get'2 (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'4 = + [%#sseq24] if 0 <= ix /\ ix < Seq.length self then C_Some'2 (Seq.get self ix) else C_None'4 + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) = + [%#shash_map9] len'0 (view'2 self) = Seq.length visited + len'0 (view'2 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'1 (view'2 self) k = C_Some'1 v /\ get'1 (view'2 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'1 (view'2 o) k = C_Some'1 v + -> get'1 (view'2 self) k = C_Some'1 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'1 (view'2 self) k = C_Some'1 v + -> contains'0 visited (k, v) \/ get'1 (view'2 o) k = C_Some'1 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'2 visited i1 = C_Some'2 (k, v1) + /\ get'2 visited i2 = C_Some'2 (k, v2) -> i1 = i2) + + function produces_trans'0 (a : t_Iter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_Iter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_Iter'0) : () + + = + [%#shash_map19] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq (t_K'0, t_V'0), b : t_Iter'0, bc : Seq.seq (t_K'0, t_V'0), c : t_Iter'0 . ([%#shash_map16] produces'0 a ab b) + -> ([%#shash_map17] produces'0 b bc c) -> ([%#shash_map18] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Iter'0) : () = + [%#shash_map15] () + + axiom produces_refl'0_spec : forall self : t_Iter'0 . [%#shash_map14] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + + predicate resolve'1 (self : borrowed (t_Iter'0)) = + [%#sresolve20] self.final = self.current + + function view'3 (self : borrowed (t_Iter'0)) : t_FMap'1 = + [%#smodel21] view'2 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'1 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap26] len'0 (empty'0 _1) = 0) + && ([%#sfmap27] view'6 (empty'0 _1) = Const.const (C_None'3)) + + function ext_eq'0 (self : t_FMap'1) (other : t_FMap'1) : bool = + [%#sfmap30] view'6 self = view'6 other + + axiom ext_eq'0_spec : forall self : t_FMap'1, other : t_FMap'1 . ([%#sfmap28] ext_eq'0 self other -> self = other) + && ([%#sfmap29] (forall k : t_K'0 . get_unsized'1 self k = get_unsized'1 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'1) : bool = + [%#sfmap22] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_Iter'0)) = + [%#shash_map8] resolve'1 self /\ is_empty'0 (view'3 self) + + type t_FMap'0 + + function view'0 (self : t_HashMap'0) : t_FMap'0 + + type t_Option'0 = + | C_None'2 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'3 t_V'0 + + use map.Map + + function view'5 (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + axiom view'5_spec : forall self : t_FMap'0 . [%#sfmap31] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'5 m1 <> view'5 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = + [%#sfmap25] Map.get (view'5 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = + [%#sfmap10] match get_unsized'0 self k with + | C_None'1 -> C_None'2 + | C_Some'3 x -> C_Some'0 x + end + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, t_V'0)) (res : t_HashMap'0) = + [%#shash_map13] forall k : t_K'0, v : t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int . 0 <= i + /\ i < Seq.length prod + /\ Seq.get prod i = (k, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_Iter'0) (return' (ret:t_HashMap'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'0)-> {inv'2 result} + {[%#siter7] exists done' : borrowed (t_Iter'0), prod : Seq.seq (t_K'0, t_V'0) . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + function any'0 [#"collections.rs" 10 0 10 20] (_1 : ()) : Seq.seq (t_K'0, t_V'0) + + use prelude.prelude.Snapshot + + function any'1 [#"collections.rs" 10 0 10 20] (_1 : ()) : borrowed (t_Iter'0) + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_iter'0 (xs:t_HashMap'1) (return' (ret:t_HashMap'0))= (! bb0 + [ bb0 = s0 [ s0 = iter'0 {xs} (fun (_ret':t_Iter'0) -> [ &it0 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = collect'0 {it0} (fun (_ret':t_HashMap'0) -> [ &r <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = [ &prod <- [%#scollections0] Snapshot.new (any'0 ()) ] s1 | s1 = bb3 ] + | bb3 = s0 [ s0 = [ &it1 <- [%#scollections1] Snapshot.new (any'1 ()) ] s1 | s1 = bb4 ] + | bb4 = s0 + [ s0 = {[@expl:assertion] [%#scollections2] completed'0 (Snapshot.inner it1)} s1 + | s1 = {[@expl:assertion] [%#scollections3] produces'0 it0 (Snapshot.inner prod) (Snapshot.inner it1).current} s2 + | s2 = {[@expl:assertion] [%#scollections4] forall k : t_K'0, v : t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> contains'0 (Snapshot.inner prod) (k, v)} + s3 + | s3 = bb5 ] + + | bb5 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : t_HashMap'0 = any_l () + | & xs : t_HashMap'1 = xs + | & it0 : t_Iter'0 = any_l () + | & r : t_HashMap'0 = any_l () + | & prod : Snapshot.snap_ty (Seq.seq (t_K'0, t_V'0)) = any_l () + | & it1 : Snapshot.snap_ty (borrowed (t_Iter'0)) = any_l () ] + + [ return' (result:t_HashMap'0)-> {[@expl:roundtrip_hashmap_iter ensures] [%#scollections5] forall k : t_K'0, v : t_V'0 . (get'0 (view'0 result) k + = C_Some'0 v) + = (get'1 (view'1 xs) k = C_Some'1 v)} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashmap_iter_mut [#"collections.rs" 53 0 53 97] + let%span scollections0 = "collections.rs" 58 15 58 55 + let%span scollections1 = "collections.rs" 59 14 59 65 + let%span scollections2 = "collections.rs" 60 20 60 43 + let%span scollections3 = "collections.rs" 61 20 61 60 + let%span scollections4 = "collections.rs" 63 20 63 99 + let%span scollections5 = "collections.rs" 50 10 50 118 + let%span scollections6 = "collections.rs" 51 10 51 96 + let%span scollections7 = "collections.rs" 52 10 52 99 + let%span shash_map8 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 23 0 37 1 + let%span siter9 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map10 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 174 20 174 54 + let%span shash_map11 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap12 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel14 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap15 = "../../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap16 = "../../../../creusot-contracts/src/logic/fmap.rs" 228 8 228 24 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 230 20 232 99 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 240 20 242 73 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 179 14 179 45 + let%span shash_map20 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 177 4 177 10 + let%span shash_map21 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 184 15 184 32 + let%span shash_map22 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 185 15 185 32 + let%span shash_map23 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 186 14 186 42 + let%span shash_map24 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 188 8 188 104 + let%span sresolve25 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq28 = "../../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 116 9 116 31 + let%span sfmap31 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap32 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap33 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap34 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap35 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap36 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap37 = "../../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 + let%span sutil38 = "../../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil39 = "../../../../creusot-contracts/src/util.rs" 56 10 56 28 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'2 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'2 } + + predicate inv'0 (_1 : borrowed (t_HashMap'0)) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_HashMap'0) [inv'0 x] . inv'0 x = true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } + + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } + + type t_K'0 + + type t_FMap'1 + + function view'2 (self : t_HashMap'0) : t_FMap'1 + + type t_V'0 + + type t_Option'3 = + | C_None'2 + | C_Some'4 t_V'0 + + use map.Map + + function view'6 (self : t_FMap'1) : Map.map t_K'0 (t_Option'3) + + axiom view'6_spec : forall self : t_FMap'1 . [%#sfmap36] forall m1 : t_FMap'1, m2 : t_FMap'1 . m1 <> m2 + -> view'6 m1 <> view'6 m2 + + use map.Map + + function get_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_Option'3 = + [%#sfmap29] Map.get (view'6 self) k + + function contains'2 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : bool = + [%#sfmap15] get_unsized'1 self k <> C_None'2 + + type t_FMap'2 + + function view'4 (self : t_IterMut'0) : t_FMap'2 + + type t_Option'1 = + | C_None'1 + | C_Some'3 (borrowed t_V'0) + + use map.Map + + function view'7 (self : t_FMap'2) : Map.map t_K'0 (t_Option'1) + + axiom view'7_spec : forall self : t_FMap'2 . [%#sfmap36] forall m1 : t_FMap'2, m2 : t_FMap'2 . m1 <> m2 + -> view'7 m1 <> view'7 m2 + + use map.Map + + function get_unsized'2 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : t_Option'1 = + [%#sfmap29] Map.get (view'7 self) k + + function contains'3 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : bool = + [%#sfmap15] get_unsized'2 self k <> C_None'1 + + function unwrap'1 (op : t_Option'3) : t_V'0 + + axiom unwrap'1_spec : forall op : t_Option'3 . ([%#sutil38] op <> C_None'2) + -> ([%#sutil39] C_Some'4 (unwrap'1 op) = op) + + function lookup_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_V'0 = + [%#sfmap37] unwrap'1 (get_unsized'1 self k) + + function lookup'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_V'0 = + [%#sfmap30] lookup_unsized'1 self k + + function index_logic'1 [@inline:trivial] (self : t_FMap'1) (key : t_K'0) : t_V'0 = + [%#sfmap16] lookup'1 self key + + function unwrap'0 (op : t_Option'1) : borrowed t_V'0 + + axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil38] op <> C_None'1) + -> ([%#sutil39] C_Some'3 (unwrap'0 op) = op) + + function lookup_unsized'2 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : borrowed t_V'0 = + [%#sfmap37] unwrap'0 (get_unsized'2 self k) + + function lookup'2 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : borrowed t_V'0 = + [%#sfmap30] lookup_unsized'2 self k + + function index_logic'2 [@inline:trivial] (self : t_FMap'2) (key : t_K'0) : borrowed t_V'0 = + [%#sfmap16] lookup'2 self key + + predicate into_iter_post'0 (self : borrowed (t_HashMap'0)) (res : t_IterMut'0) = + [%#shash_map17] forall k : t_K'0 . contains'2 (view'2 self.current) k = contains'2 (view'2 self.final) k + /\ (forall k : t_K'0 . contains'2 (view'2 self.current) k = contains'3 (view'4 res) k) + /\ (forall k : t_K'0 . contains'2 (view'2 self.current) k + -> index_logic'1 (view'2 self.current) k = (index_logic'2 (view'4 res) k).current + /\ index_logic'1 (view'2 self.final) k = (index_logic'2 (view'4 res) k).final) + + let rec iter_mut'0 (self:borrowed (t_HashMap'0)) (return' (ret:t_IterMut'0))= {[@expl:iter_mut 'self' type invariant] inv'0 self} + any [ return' (result:t_IterMut'0)-> {[%#shash_map8] into_iter_post'0 self result} (! return' {result}) ] + + predicate inv'1 (_1 : t_IterMut'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IterMut'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'3 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashMap'1 = + { t_HashMap__base'1: t_HashMap'3 } + + predicate inv'2 (_1 : t_HashMap'1) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashMap'1 [inv'2 x] . inv'2 x = true + + use seq.Seq + + predicate resolve'1 (_1 : t_IterMut'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'2) : int + + axiom len'0_spec : forall self : t_FMap'2 . [%#sfmap27] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) = + [%#sseq13] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) + + function get'2 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : t_Option'0 = + [%#sfmap12] match get_unsized'2 self k with + | C_None'1 -> C_None'0 + | C_Some'3 x -> C_Some'0 x + end + + type t_Option'4 = + | C_None'4 + | C_Some'2 (t_K'0, borrowed t_V'0) + + function get'3 (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'4 = + [%#sseq28] if 0 <= ix /\ ix < Seq.length self then C_Some'2 (Seq.get self ix) else C_None'4 + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) = + [%#shash_map11] len'0 (view'4 self) = Seq.length visited + len'0 (view'4 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'2 (view'4 self) k = C_Some'0 v /\ get'2 (view'4 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'2 (view'4 o) k = C_Some'0 v + -> get'2 (view'4 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'2 (view'4 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'2 (view'4 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'3 visited i1 + = C_Some'2 (k, v1) + /\ get'3 visited i2 = C_Some'2 (k, v2) -> i1 = i2) + + function produces_trans'0 (a : t_IterMut'0) (ab : Seq.seq (t_K'0, borrowed t_V'0)) (b : t_IterMut'0) (bc : Seq.seq (t_K'0, borrowed t_V'0)) (c : t_IterMut'0) : () + + = + [%#shash_map24] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_IterMut'0, ab : Seq.seq (t_K'0, borrowed t_V'0), b : t_IterMut'0, bc : Seq.seq (t_K'0, borrowed t_V'0), c : t_IterMut'0 . ([%#shash_map21] produces'0 a ab b) + -> ([%#shash_map22] produces'0 b bc c) -> ([%#shash_map23] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IterMut'0) : () = + [%#shash_map20] () + + axiom produces_refl'0_spec : forall self : t_IterMut'0 . [%#shash_map19] produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self + + predicate resolve'2 (self : borrowed (t_IterMut'0)) = + [%#sresolve25] self.final = self.current + + function view'3 (self : borrowed (t_IterMut'0)) : t_FMap'2 = + [%#smodel14] view'4 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'2 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap31] len'0 (empty'0 _1) = 0) + && ([%#sfmap32] view'7 (empty'0 _1) = Const.const (C_None'1)) + + function ext_eq'0 (self : t_FMap'2) (other : t_FMap'2) : bool = + [%#sfmap35] view'7 self = view'7 other + + axiom ext_eq'0_spec : forall self : t_FMap'2, other : t_FMap'2 . ([%#sfmap33] ext_eq'0 self other -> self = other) + && ([%#sfmap34] (forall k : t_K'0 . get_unsized'2 self k = get_unsized'2 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'2) : bool = + [%#sfmap26] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_IterMut'0)) = + [%#shash_map10] resolve'2 self /\ is_empty'0 (view'3 self) + + type t_FMap'0 + + function view'0 (self : t_HashMap'1) : t_FMap'0 + + use map.Map + + function view'5 (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + axiom view'5_spec : forall self : t_FMap'0 . [%#sfmap36] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'5 m1 <> view'5 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = + [%#sfmap29] Map.get (view'5 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = + [%#sfmap12] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'3 x -> C_Some'0 x + end + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, borrowed t_V'0)) (res : t_HashMap'1) = + [%#shash_map18] forall k : t_K'0, v : borrowed t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int . 0 <= i + /\ i < Seq.length prod + /\ Seq.get prod i = (k, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_IterMut'0) (return' (ret:t_HashMap'1))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'1)-> {inv'2 result} + {[%#siter9] exists done' : borrowed (t_IterMut'0), prod : Seq.seq (t_K'0, borrowed t_V'0) . resolve'1 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + function any'0 [#"collections.rs" 10 0 10 20] (_1 : ()) : Seq.seq (t_K'0, borrowed t_V'0) + + use prelude.prelude.Snapshot + + function any'1 [#"collections.rs" 10 0 10 20] (_1 : ()) : borrowed (t_IterMut'0) + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + predicate resolve'3 (self : borrowed (t_HashMap'0)) = + [%#sresolve25] self.final = self.current + + predicate resolve'0 (_1 : borrowed (t_HashMap'0)) = + resolve'3 _1 + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + function view'1 (self : borrowed (t_HashMap'0)) : t_FMap'1 = + [%#smodel14] view'2 self.current + + type t_Option'2 = + | C_None'3 + | C_Some'1 t_V'0 + + function get'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_Option'2 = + [%#sfmap12] match get_unsized'1 self k with + | C_None'2 -> C_None'3 + | C_Some'4 x -> C_Some'1 x + end + + function contains'1 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : bool = + [%#sfmap15] get_unsized'0 self k <> C_None'1 + + function lookup_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : borrowed t_V'0 = + [%#sfmap37] unwrap'0 (get_unsized'0 self k) + + function lookup'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : borrowed t_V'0 = + [%#sfmap30] lookup_unsized'0 self k + + function index_logic'0 [@inline:trivial] (self : t_FMap'0) (key : t_K'0) : borrowed t_V'0 = + [%#sfmap16] lookup'0 self key + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_iter_mut'0 (xs:borrowed (t_HashMap'0)) (return' (ret:t_HashMap'1))= (! bb0 + [ bb0 = s0 + [ s0 = Borrow.borrow_final {xs.current} {Borrow.get_id xs} + (fun (_ret':borrowed (t_HashMap'0)) -> [ &_6 <- _ret' ] [ &xs <- { xs with current = _ret'.final } ] s1) + | s1 = iter_mut'0 {_6} (fun (_ret':t_IterMut'0) -> [ &it0 <- _ret' ] s2) + | s2 = bb1 ] + + | bb1 = s0 [ s0 = collect'0 {it0} (fun (_ret':t_HashMap'1) -> [ &r <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = [ &prod <- [%#scollections0] Snapshot.new (any'0 ()) ] s1 | s1 = bb3 ] + | bb3 = s0 [ s0 = [ &it1 <- [%#scollections1] Snapshot.new (any'1 ()) ] s1 | s1 = bb4 ] + | bb4 = s0 + [ s0 = {[@expl:assertion] [%#scollections2] completed'0 (Snapshot.inner it1)} s1 + | s1 = {[@expl:assertion] [%#scollections3] produces'0 it0 (Snapshot.inner prod) (Snapshot.inner it1).current} s2 + | s2 = {[@expl:assertion] [%#scollections4] forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> contains'0 (Snapshot.inner prod) (k, v)} + s3 + | s3 = bb5 ] + + | bb5 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb6 ] + | bb6 = s0 [ s0 = -{resolve'0 xs}- s1 | s1 = return' {_0} ] ] + ) + [ & _0 : t_HashMap'1 = any_l () + | & xs : borrowed (t_HashMap'0) = xs + | & it0 : t_IterMut'0 = any_l () + | & _6 : borrowed (t_HashMap'0) = any_l () + | & r : t_HashMap'1 = any_l () + | & prod : Snapshot.snap_ty (Seq.seq (t_K'0, borrowed t_V'0)) = any_l () + | & it1 : Snapshot.snap_ty (borrowed (t_IterMut'0)) = any_l () ] + + [ return' (result:t_HashMap'1)-> {[@expl:roundtrip_hashmap_iter_mut ensures #0] [%#scollections5] forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 result) k + = C_Some'0 v -> get'1 (view'1 xs) k = C_Some'1 (v.current) /\ get'1 (view'2 xs.final) k = C_Some'1 (v.final)} + {[@expl:roundtrip_hashmap_iter_mut ensures #1] [%#scollections6] forall k : t_K'0, v : t_V'0 . get'1 (view'1 xs) k + = C_Some'1 v -> contains'1 (view'0 result) k /\ (index_logic'0 (view'0 result) k).current = v} + {[@expl:roundtrip_hashmap_iter_mut ensures #2] [%#scollections7] forall k : t_K'0, v : t_V'0 . get'1 (view'2 xs.final) k + = C_Some'1 v -> contains'1 (view'0 result) k /\ (index_logic'0 (view'0 result) k).final = v} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashset_into_iter [#"collections.rs" 68 0 68 78] + let%span scollections0 = "collections.rs" 67 10 67 24 + let%span siter1 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_set3 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 142 20 142 24 + let%span shash_set4 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 148 20 148 33 + let%span shash_set5 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 118 20 118 38 + let%span shash_set6 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span shash_set7 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 170 20 170 69 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 123 14 123 45 + let%span shash_set9 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 121 4 121 10 + let%span shash_set10 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 128 15 128 32 + let%span shash_set11 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 129 15 129 32 + let%span shash_set12 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 130 14 130 42 + let%span shash_set13 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 132 8 132 44 + let%span smodel14 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfset15 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq16 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq18 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + predicate inv'0 (_1 : t_HashSet'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'0 [inv'0 x] . inv'0 x = true + + predicate into_iter_pre'0 (self : t_HashSet'0) = + [%#shash_set3] true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } + + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_T'0 + + use set.Fset + + function view'0 (self : t_HashSet'0) : Fset.fset t_T'0 + + function view'1 (self : t_IntoIter'0) : Fset.fset t_T'0 + + predicate into_iter_post'0 (self : t_HashSet'0) (res : t_IntoIter'0) = + [%#shash_set4] view'0 self = view'1 res + + let rec into_iter'0 (self:t_HashSet'0) (return' (ret:t_IntoIter'0))= {[@expl:into_iter 'self' type invariant] inv'0 self} + {[@expl:into_iter requires] [%#siter1] into_iter_pre'0 self} + any [ return' (result:t_IntoIter'0)-> {[%#siter1] into_iter_post'0 self result} (! return' {result}) ] + + predicate inv'1 (_1 : t_IntoIter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IntoIter'0 [inv'1 x] . inv'1 x = true + + use prelude.prelude.Borrow + + use seq.Seq + + predicate resolve'0 (_1 : t_IntoIter'0) = + true + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_T'0) (e : t_T'0) = + [%#sfset15] Fset.mem e self + + use seq.Seq + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq16] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + use seq.Seq + + function concat_contains'0 (_1 : ()) : () = + [%#sseq18] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq17] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x + + use seq.Seq + + predicate produces'0 (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = + [%#shash_set6] Fset.cardinal (view'1 self) = Seq.length visited + Fset.cardinal (view'1 o) + /\ (forall x : t_T'0 . contains'0 (view'1 self) x -> contains'1 visited x \/ contains'0 (view'1 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'1 self) x /\ not contains'0 (view'1 o) x) + /\ (forall x : t_T'0 . contains'0 (view'1 o) x -> contains'0 (view'1 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) + + function produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + = + [%#shash_set13] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq t_T'0, b : t_IntoIter'0, bc : Seq.seq t_T'0, c : t_IntoIter'0 . ([%#shash_set10] produces'0 a ab b) + -> ([%#shash_set11] produces'0 b bc c) -> ([%#shash_set12] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IntoIter'0) : () = + [%#shash_set9] () + + axiom produces_refl'0_spec : forall self : t_IntoIter'0 . [%#shash_set8] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + function view'2 (self : borrowed (t_IntoIter'0)) : Fset.fset t_T'0 = + [%#smodel14] view'1 self.current + + use set.Fset + + predicate completed'0 (self : borrowed (t_IntoIter'0)) = + [%#shash_set5] Fset.is_empty (view'2 self) + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set7] forall x : t_T'0 . contains'0 (view'0 res) x = contains'1 prod x + + let rec collect'0 (self:t_IntoIter'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashSet'0)-> {inv'0 result} + {[%#siter2] exists done' : borrowed (t_IntoIter'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashset_into_iter'0 (xs:t_HashSet'0) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = bb1 + | bb1 = s0 [ s0 = into_iter'0 {xs} (fun (_ret':t_IntoIter'0) -> [ &_3 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {_3} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : t_HashSet'0 = any_l () | & xs : t_HashSet'0 = xs | & _3 : t_IntoIter'0 = any_l () ] + [ return' (result:t_HashSet'0)-> {[@expl:roundtrip_hashset_into_iter ensures] [%#scollections0] view'0 result + = view'0 xs} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashset_iter [#"collections.rs" 73 0 73 75] + let%span scollections0 = "collections.rs" 72 10 72 63 + let%span shash_set1 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 19 0 38 1 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span sfset3 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span shash_set5 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 69 20 69 38 + let%span shash_set6 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span shash_set7 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 170 20 170 69 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 74 14 74 45 + let%span shash_set9 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 72 4 72 10 + let%span shash_set10 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 79 15 79 32 + let%span shash_set11 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 80 15 80 32 + let%span shash_set12 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 81 14 81 42 + let%span shash_set13 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 83 8 83 44 + let%span smodel14 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sseq15 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq16 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'1 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashSet'3 = + { t_HashSet__map'1: t_HashMap'1 } + + type t_HashSet'1 = + { t_HashSet__base'1: t_HashSet'3 } + + predicate inv'0 (_1 : t_HashSet'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'1 [inv'0 x] . inv'0 x = true + + type t_T'0 + + use set.Fset + + function view'3 (self : t_HashSet'1) : Fset.fset t_T'0 + + function view'1 (self : t_HashSet'1) : Fset.fset t_T'0 = + [%#smodel4] view'3 self + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + function view'2 (self : t_Iter'0) : Fset.fset t_T'0 + + let rec iter'0 (self:t_HashSet'1) (return' (ret:t_Iter'0))= {[@expl:iter 'self' type invariant] inv'0 self} + any [ return' (result:t_Iter'0)-> {[%#shash_set1] view'1 self = view'2 result} (! return' {result}) ] + + predicate inv'1 (_1 : t_Iter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Iter'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'2 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'2 } + + predicate inv'2 (_1 : t_HashSet'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashSet'0 [inv'2 x] . inv'2 x = true + + use seq.Seq + + predicate resolve'0 (_1 : t_Iter'0) = + true + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'1 [@inline:trivial] (self : Fset.fset t_T'0) (e : t_T'0) = + [%#sfset3] Fset.mem e self + + use seq.Seq + + predicate contains'2 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq15] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + use seq.Seq + + function concat_contains'0 (_1 : ()) : () = + [%#sseq17] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq16] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'2 (Seq.(++) a b) x + = contains'2 a x + \/ contains'2 b x + + use seq.Seq + + predicate produces'0 (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) = + [%#shash_set6] Fset.cardinal (view'2 self) = Seq.length visited + Fset.cardinal (view'2 o) + /\ (forall x : t_T'0 . contains'1 (view'2 self) x -> contains'2 visited x \/ contains'1 (view'2 o) x) + /\ (forall x : t_T'0 . contains'2 visited x -> contains'1 (view'2 self) x /\ not contains'1 (view'2 o) x) + /\ (forall x : t_T'0 . contains'1 (view'2 o) x -> contains'1 (view'2 self) x /\ not contains'2 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) + + function produces_trans'0 (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + = + [%#shash_set13] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq t_T'0, b : t_Iter'0, bc : Seq.seq t_T'0, c : t_Iter'0 . ([%#shash_set10] produces'0 a ab b) + -> ([%#shash_set11] produces'0 b bc c) -> ([%#shash_set12] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Iter'0) : () = + [%#shash_set9] () + + axiom produces_refl'0_spec : forall self : t_Iter'0 . [%#shash_set8] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + function view'4 (self : borrowed (t_Iter'0)) : Fset.fset t_T'0 = + [%#smodel14] view'2 self.current + + use set.Fset + + predicate completed'0 (self : borrowed (t_Iter'0)) = + [%#shash_set5] Fset.is_empty (view'4 self) + + use set.Fset + + function view'0 (self : t_HashSet'0) : Fset.fset t_T'0 + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_T'0) (e : t_T'0) = + [%#sfset3] Fset.mem e self + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set7] forall x : t_T'0 . contains'0 (view'0 res) x = contains'2 prod x + + let rec collect'0 (self:t_Iter'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashSet'0)-> {inv'2 result} + {[%#siter2] exists done' : borrowed (t_Iter'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashset_iter'0 (xs:t_HashSet'1) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = s0 [ s0 = iter'0 {xs} (fun (_ret':t_Iter'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = collect'0 {_3} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_HashSet'0 = any_l () | & xs : t_HashSet'1 = xs | & _3 : t_Iter'0 = any_l () ] + [ return' (result:t_HashSet'0)-> {[@expl:roundtrip_hashset_iter ensures] [%#scollections0] forall k : t_T'0 . contains'0 (view'0 result) k + = contains'1 (view'1 xs) k} + (! return' {result}) ] + +end +module M_collections__hashset_intersection [#"collections.rs" 78 0 78 96] + let%span scollections0 = "collections.rs" 77 10 77 42 + let%span shash_set1 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 32 30 32 67 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter3 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span smodel4 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span scopied5 = "../../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span scopied6 = "../../../../creusot-contracts/src/std/iter/copied.rs" 40 12 40 105 + let%span scopied7 = "../../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 170 20 170 69 + let%span scopied9 = "../../../../creusot-contracts/src/std/iter/copied.rs" 21 8 21 29 + let%span scopied10 = "../../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 + let%span scopied11 = "../../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 + let%span scopied12 = "../../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 + let%span scopied13 = "../../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 + let%span shash_set14 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 203 20 203 56 + let%span shash_set15 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sfset16 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_set18 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 208 14 208 45 + let%span shash_set19 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 206 4 206 10 + let%span shash_set20 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 213 15 213 32 + let%span shash_set21 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 214 15 214 32 + let%span shash_set22 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 215 14 215 42 + let%span shash_set23 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 217 8 217 44 + let%span sresolve24 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel25 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sseq26 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq27 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + predicate inv'0 (_1 : t_HashSet'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'0 [inv'0 x] . inv'0 x = true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + predicate inv'1 (_1 : t_Intersection'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Intersection'0 [inv'1 x] . inv'1 x = true + + type t_T'0 + + use set.Fset + + function view'2 (self : t_Intersection'0) : Fset.fset t_T'0 + + function view'0 (self : t_HashSet'0) : Fset.fset t_T'0 + + function view'1 (self : t_HashSet'0) : Fset.fset t_T'0 = + [%#smodel4] view'0 self + + use set.Fset + + let rec intersection'0 (self:t_HashSet'0) (other:t_HashSet'0) (return' (ret:t_Intersection'0))= {[@expl:intersection 'self' type invariant] inv'0 self} + {[@expl:intersection 'other' type invariant] inv'0 other} + any + [ return' (result:t_Intersection'0)-> {inv'1 result} + {[%#shash_set1] view'2 result = Fset.inter (view'1 self) (view'1 other)} + (! return' {result}) ] + + + type t_Copied'0 = + { t_Copied__it'0: t_Intersection'0 } + + predicate inv'2 (_1 : t_Copied'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_Copied'0 [inv'2 x] . inv'2 x = true + + function iter'0 (self : t_Copied'0) : t_Intersection'0 + + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'2 self -> inv'1 (iter'0 self) + + let rec copied'0 (self:t_Intersection'0) (return' (ret:t_Copied'0))= {[@expl:copied 'self' type invariant] inv'1 self} + any [ return' (result:t_Copied'0)-> {inv'2 result} {[%#siter2] iter'0 result = self} (! return' {result}) ] + + predicate inv'3 (_1 : t_HashSet'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_HashSet'0 [inv'3 x] . inv'3 x = true + + use seq.Seq + + predicate resolve'2 (_1 : t_Intersection'0) = + true + + predicate resolve'1 (self : t_Copied'0) = + [%#scopied9] resolve'2 (iter'0 self) + + predicate resolve'0 (_1 : t_Copied'0) = + resolve'1 _1 + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + predicate contains'2 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + function concat_contains'0 (_1 : ()) : () = + [%#sseq27] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq26] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'2 (Seq.(++) a b) x + = contains'2 a x + \/ contains'2 b x + + use seq.Seq + + use set.Fset + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_T'0) (e : t_T'0) = + [%#sfset16] Fset.mem e self + + predicate produces'1 (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = + [%#shash_set15] Fset.cardinal (view'2 self) = Seq.length visited + Fset.cardinal (view'2 o) + /\ (forall x : t_T'0 . contains'0 (view'2 self) x -> contains'2 visited x \/ contains'0 (view'2 o) x) + /\ (forall x : t_T'0 . contains'2 visited x -> contains'0 (view'2 self) x /\ not contains'0 (view'2 o) x) + /\ (forall x : t_T'0 . contains'0 (view'2 o) x -> contains'0 (view'2 self) x /\ not contains'2 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) + + function produces_trans'1 (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () + + = + [%#shash_set23] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom produces_trans'1_spec : forall a : t_Intersection'0, ab : Seq.seq t_T'0, b : t_Intersection'0, bc : Seq.seq t_T'0, c : t_Intersection'0 . ([%#shash_set20] produces'1 a ab b) + -> ([%#shash_set21] produces'1 b bc c) -> ([%#shash_set22] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 (self : t_Intersection'0) : () = + [%#shash_set19] () + + axiom produces_refl'1_spec : forall self : t_Intersection'0 . [%#shash_set18] produces'1 self (Seq.empty : Seq.seq t_T'0) self + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) = + [%#scopied7] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + + function produces_trans'0 (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () + + + axiom produces_trans'0_spec : forall a : t_Copied'0, ab : Seq.seq t_T'0, b : t_Copied'0, bc : Seq.seq t_T'0, c : t_Copied'0 . ([%#scopied11] produces'0 a ab b) + -> ([%#scopied12] produces'0 b bc c) -> ([%#scopied13] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Copied'0) : () + + axiom produces_refl'0_spec : forall self : t_Copied'0 . [%#scopied10] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + predicate resolve'3 (self : borrowed (t_Intersection'0)) = + [%#sresolve24] self.final = self.current + + function view'3 (self : borrowed (t_Intersection'0)) : Fset.fset t_T'0 = + [%#smodel25] view'2 self.current + + use set.Fset + + predicate completed'1 (self : borrowed (t_Intersection'0)) = + [%#shash_set14] resolve'3 self /\ Fset.is_empty (view'3 self) + + predicate completed'0 (self : borrowed (t_Copied'0)) = + [%#scopied6] exists inner : borrowed (t_Intersection'0) . inner.current = iter'0 self.current + /\ inner.final = iter'0 self.final /\ completed'1 inner + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set8] forall x : t_T'0 . contains'0 (view'0 res) x = contains'1 prod x + + let rec collect'0 (self:t_Copied'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'2 self} + any + [ return' (result:t_HashSet'0)-> {inv'3 result} + {[%#siter3] exists done' : borrowed (t_Copied'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec hashset_intersection'0 (xs:t_HashSet'0) (ys:t_HashSet'0) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = s0 [ s0 = intersection'0 {xs} {ys} (fun (_ret':t_Intersection'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = copied'0 {_5} (fun (_ret':t_Copied'0) -> [ &_4 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {_4} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = return' {_0} ] + ) + [ & _0 : t_HashSet'0 = any_l () + | & xs : t_HashSet'0 = xs + | & ys : t_HashSet'0 = ys + | & _4 : t_Copied'0 = any_l () + | & _5 : t_Intersection'0 = any_l () ] + + [ return' (result:t_HashSet'0)-> {[@expl:hashset_intersection ensures] [%#scollections0] view'0 result + = Fset.inter (view'1 xs) (view'1 ys)} + (! return' {result}) ] + +end diff --git a/creusot/tests/should_succeed/cc/collections.rs b/creusot/tests/should_succeed/cc/collections.rs new file mode 100644 index 000000000..720f5404c --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections.rs @@ -0,0 +1,80 @@ +extern crate creusot_contracts; +use creusot_contracts::*; +use std::{ + collections::{hash_map, HashMap, HashSet}, + hash::Hash, +}; + +#[trusted] +#[logic] +pub fn any() -> T { + dead +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashmap_into_iter(xs: HashMap) -> HashMap { + let it0 = xs.into_iter(); + let r: HashMap = it0.collect(); + /* + let x = snapshot! { such_that(|x: (Seq<(K,V)>, &mut hash_map::IntoIter)| { + let (prod, it1) = x; + it1.completed() + && it0.produces(prod, *it1) + })}; */ + + // epsilon + let prod = snapshot! { any::>() }; + let it1 = snapshot! { any::<&mut hash_map::IntoIter>() }; + proof_assert! { it1.inner().completed() }; + proof_assert! { it0.produces(prod.inner(), *it1.inner()) }; + + proof_assert! { forall r@.get(k) == Some(v) ==> prod.inner().contains((k, v))}; + r +} + +#[ensures(forall (result@.get(k) == Some(v)) == (xs@.get(*k) == Some(*v)))] +pub fn roundtrip_hashmap_iter(xs: &HashMap) -> HashMap<&K, &V> { + let it0 = xs.iter(); + let r: HashMap<&K, &V> = it0.collect(); + + // epsilon + let prod = snapshot! { any::>() }; + let it1 = snapshot! { any::<&mut hash_map::Iter>() }; + proof_assert! { it1.inner().completed() }; + proof_assert! { it0.produces(prod.inner(), *it1.inner()) }; + + proof_assert! { forall r@.get(k) == Some(v) ==> prod.inner().contains((k, v)) }; + r +} + +#[ensures(forall result@.get(k) == Some(v) ==> xs@.get(*k) == Some(*v) && (^xs)@.get(*k) == Some(^v))] +#[ensures(forall xs@.get(*k) == Some(v) ==> result@.contains(k) && *result@[k] == v)] +#[ensures(forall (^xs)@.get(*k) == Some(v) ==> result@.contains(k) && ^result@[k] == v)] +pub fn roundtrip_hashmap_iter_mut(xs: &mut HashMap) -> HashMap<&K, &mut V> { + let it0 = xs.iter_mut(); + let r: HashMap<&K, &mut V> = it0.collect(); + + // epsilon + let prod = snapshot! { any::>() }; + let it1 = snapshot! { any::<&mut hash_map::IterMut>() }; + proof_assert! { it1.inner().completed() }; + proof_assert! { it0.produces(prod.inner(), *it1.inner()) }; + + proof_assert! { forall r@.get(k) == Some(v) ==> prod.inner().contains((k, v)) }; + r +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashset_into_iter(xs: HashSet) -> HashSet { + xs.into_iter().collect() +} + +#[ensures(forall result@.contains(k) == xs@.contains(*k))] +pub fn roundtrip_hashset_iter(xs: &HashSet) -> HashSet<&T> { + xs.iter().collect() +} + +#[ensures(result@ == xs@.intersection(ys@))] +pub fn hashset_intersection(xs: &HashSet, ys: &HashSet) -> HashSet { + xs.intersection(ys).copied().collect() +} diff --git a/creusot/tests/should_succeed/cc/collections/why3session.xml b/creusot/tests/should_succeed/cc/collections/why3session.xml new file mode 100644 index 000000000..91fbaf7c2 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections/why3session.xml @@ -0,0 +1,140 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/creusot/tests/should_succeed/cc/collections/why3shapes.gz b/creusot/tests/should_succeed/cc/collections/why3shapes.gz new file mode 100644 index 000000000..66b520cf8 Binary files /dev/null and b/creusot/tests/should_succeed/cc/collections/why3shapes.gz differ diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend.coma b/creusot/tests/should_succeed/iterators/08_collect_extend.coma index aedea4bc3..527913b36 100644 --- a/creusot/tests/should_succeed/iterators/08_collect_extend.coma +++ b/creusot/tests/should_succeed/iterators/08_collect_extend.coma @@ -24,7 +24,7 @@ module M_08_collect_extend__extend [#"08_collect_extend.rs" 26 0 26 66] let%span siter22 = "../../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 let%span sresolve23 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant24 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 630 20 630 95 let%span svec26 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sboxed27 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 @@ -345,7 +345,7 @@ module M_08_collect_extend__collect [#"08_collect_extend.rs" 44 0 44 52] let%span sresolve21 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span smodel22 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 let%span svec23 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 630 20 630 95 let%span sinvariant25 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sboxed26 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18