From 90dfbcafcd8019526f89b17e5e4a9e3b7e4f622f Mon Sep 17 00:00:00 2001 From: Li-yao Xia Date: Fri, 6 Dec 2024 22:50:39 +0100 Subject: [PATCH] Add specs for iterators of HashMap and HashSet --- creusot-contracts/src/logic/fset.rs | 11 + creusot-contracts/src/logic/seq.rs | 10 + creusot-contracts/src/std.rs | 4 + .../src/std/collections/hash_map.rs | 244 + .../src/std/collections/hash_set.rs | 221 + creusot-contracts/src/std/default.rs | 10 + .../creusot-contracts/creusot-contracts.coma | 20547 +++++++++------- .../creusot-contracts/why3session.xml | 388 +- .../creusot-contracts/why3shapes.gz | Bin 24505 -> 27421 bytes creusot/tests/should_fail/bug/603.stderr | 2 +- .../diagnostics/view_unimplemented.stderr | 4 +- .../tests/should_succeed/cc/collections.coma | 1905 ++ .../tests/should_succeed/cc/collections.rs | 80 + .../cc/collections/why3session.xml | 140 + .../cc/collections/why3shapes.gz | Bin 0 -> 2918 bytes .../iterators/08_collect_extend.coma | 4 +- 16 files changed, 15081 insertions(+), 8489 deletions(-) create mode 100644 creusot-contracts/src/std/collections/hash_map.rs create mode 100644 creusot-contracts/src/std/collections/hash_set.rs create mode 100644 creusot/tests/should_succeed/cc/collections.coma create mode 100644 creusot/tests/should_succeed/cc/collections.rs create mode 100644 creusot/tests/should_succeed/cc/collections/why3session.xml create mode 100644 creusot/tests/should_succeed/cc/collections/why3shapes.gz diff --git a/creusot-contracts/src/logic/fset.rs b/creusot-contracts/src/logic/fset.rs index 9ebd35b765..469bbb09c7 100644 --- a/creusot-contracts/src/logic/fset.rs +++ b/creusot-contracts/src/logic/fset.rs @@ -114,6 +114,17 @@ impl FSet { dead } + /// Returns a new set, which is the union of `self` and `other`. + /// + /// An element is in the result if it is in `self` _or_ if it is in `other`. + #[trusted] + #[logic] + #[creusot::builtins = "set.Fset.inter"] + pub fn intersection(self, other: Self) -> Self { + let _ = other; + dead + } + /// Returns `true` if every element of `self` is in `other`. #[trusted] #[predicate] diff --git a/creusot-contracts/src/logic/seq.rs b/creusot-contracts/src/logic/seq.rs index d28a4a84b2..8146bbd1b4 100644 --- a/creusot-contracts/src/logic/seq.rs +++ b/creusot-contracts/src/logic/seq.rs @@ -376,6 +376,16 @@ impl Seq { { self.sorted_range(0, self.len()) } + + #[open] + #[logic] + #[ensures(forall, b: Seq, x: T> + a.concat(b).contains(x) == a.contains(x) || b.contains(x))] + pub fn concat_contains() + where + T: Sized, + { + } } impl Seq<&T> { diff --git a/creusot-contracts/src/std.rs b/creusot-contracts/src/std.rs index ec83701067..08c5948870 100644 --- a/creusot-contracts/src/std.rs +++ b/creusot-contracts/src/std.rs @@ -3,6 +3,10 @@ pub use ::std::*; pub mod array; pub mod boxed; pub mod clone; +pub mod collections { + pub mod hash_map; + pub mod hash_set; +} pub mod cmp; pub mod default; pub mod deque; diff --git a/creusot-contracts/src/std/collections/hash_map.rs b/creusot-contracts/src/std/collections/hash_map.rs new file mode 100644 index 0000000000..534a0edeb4 --- /dev/null +++ b/creusot-contracts/src/std/collections/hash_map.rs @@ -0,0 +1,244 @@ +use crate::{ + logic::FMap, + std::iter::{FromIterator, IntoIterator, Iterator}, + *, +}; +use ::std::{ + collections::hash_map::*, + default::Default, + hash::{BuildHasher, Hash}, +}; + +impl View for HashMap { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +extern_spec! { + mod std { + mod collections { + mod hash_map { + impl HashMap { + #[ensures(self@ == result@)] + fn iter(&self) -> Iter<'_, K, V>; + + #[ensures(self.into_iter_post(result))] + fn iter_mut(&mut self) -> IterMut<'_, K, V>; + } + } + } + } +} + +impl<'a, K, V> View for Iter<'a, K, V> { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, K, V> Iterator for Iter<'a, K, V> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((&k, &v)) + ==> self@.get(k) == Some(v) && o@.get(k) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !(exists visited.contains((&k, &v2)))) + && (forall self@.get(k) == Some(v) + ==> visited.contains((&k, &v)) || (o@.get(k) == Some(v))) + && (forall + visited.get(i1) == Some((k, v1)) && visited.get(i2) == Some((k, v2)) + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl View for IntoIter { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl Iterator for IntoIter { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((k, v)) + ==> self@.get(k) == Some(v) && o@.get(k) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !(exists visited.contains((k, v2)))) + && (forall self@.get(k) == Some(v) + ==> visited.contains((k, v)) || (o@.get(k) == Some(v))) + && (forall + visited.get(i1) == Some((k, v1)) && visited.get(i2) == Some((k, v2)) + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl<'a, K, V> View for IterMut<'a, K, V> { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, K, V> Iterator for IterMut<'a, K, V> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((&k, v)) + ==> self@.get(k) == Some(v) && o@.get(k) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !(exists visited.contains((&k, v2)))) + && (forall self@.get(k) == Some(v) + ==> visited.contains((&k, v)) || (o@.get(k) == Some(v))) + && (forall + visited.get(i1) == Some((k, v1)) && visited.get(i2) == Some((k, v2)) + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl IntoIterator for HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &mut HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate(prophetic)] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { forall (*self)@.contains(k) == (^self)@.contains(k) + && (forall (*self)@.contains(k) == res@.contains(k)) + && forall (*self)@.contains(k) ==> (*self)@[k] == *res@[k] && (^self)@[k] == ^res@[k] } + } +} + +impl FromIterator<(K, V)> for HashMap { + #[predicate] + #[open] + fn from_iter_post(prod: Seq<(K, V)>, res: Self) -> bool { + pearlite! { forall (res@.get(k) == Some(v)) + == (exists 0 <= i && i < prod.len() && prod[i] == (k, v) + && forall i < j && j < prod.len() ==> prod[j].0 != k) } + } +} diff --git a/creusot-contracts/src/std/collections/hash_set.rs b/creusot-contracts/src/std/collections/hash_set.rs new file mode 100644 index 0000000000..1d7f75b4d9 --- /dev/null +++ b/creusot-contracts/src/std/collections/hash_set.rs @@ -0,0 +1,221 @@ +use crate::{ + logic::FSet, + std::iter::{FromIterator, IntoIterator, Iterator}, + *, +}; +use ::std::{collections::hash_set::*, hash::*}; + +impl View for HashSet { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +extern_spec! { + mod std { + mod collections { + mod hash_set { + impl HashSet { + #[ensures(self@ == result@)] + fn iter(&self) -> Iter<'_, T>; + } + impl HashSet + where + T: Eq + Hash, + S: BuildHasher, + { + #[ensures(result@ == self@.intersection(other@))] + fn intersection<'a>(&'a self, other: &'a HashSet) -> Intersection<'a, T, S>; + } + } + } + } +} + +impl<'a, T> View for Iter<'a, T> { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, T> Iterator for Iter<'a, T> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + pearlite! { self@.len() == visited.len() + o@.len() + && (forall self@.contains(x) ==> visited.contains(&x) || o@.contains(x)) + && (forall visited.contains(&x) ==> self@.contains(x) && !o@.contains(x)) + && (forall o@.contains(x) ==> self@.contains(x) && !visited.contains(&x)) + && (forall + 0 <= i && i < visited.len() && 0 <= j && j < visited.len() + && *visited[i] == x && *visited[j] == x + ==> i == j) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + Seq::::concat_contains(); + proof_assert! { forall ab.len() <= i && ab.concat(bc).get(i) == Some(x) ==> bc.contains(x) }; + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] }; + } +} + +impl View for IntoIter { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl Iterator for IntoIter { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + pearlite! { self@.len() == visited.len() + o@.len() + && (forall self@.contains(x) ==> visited.contains(x) || o@.contains(x)) + && (forall visited.contains(x) ==> self@.contains(x) && !o@.contains(x)) + && (forall o@.contains(x) ==> self@.contains(x) && !visited.contains(x)) + && (forall + 0 <= i && i < visited.len() && 0 <= j && j < visited.len() + && visited[i] == x && visited[j] == x + ==> i == j) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + Seq::::concat_contains(); + proof_assert! { forall ab.len() <= i && ab.concat(bc).get(i) == Some(x) ==> bc.contains(x) }; + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] }; + } +} + +impl IntoIterator for HashSet { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &HashSet { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl FromIterator for HashSet { + #[predicate] + #[open] + fn from_iter_post(prod: Seq, res: Self) -> bool { + pearlite! { forall res@.contains(x) == prod.contains(x) } + } +} + +impl<'a, T, S> View for Intersection<'a, T, S> { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, T: Eq + Hash, S: BuildHasher> Iterator for Intersection<'a, T, S> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + pearlite! { self@.len() == visited.len() + o@.len() + && (forall self@.contains(x) ==> visited.contains(&x) || o@.contains(x)) + && (forall visited.contains(&x) ==> self@.contains(x) && !o@.contains(x)) + && (forall o@.contains(x) ==> self@.contains(x) && !visited.contains(&x)) + && (forall + 0 <= i && i < visited.len() && 0 <= j && j < visited.len() + && visited[i] == &x && visited[j] == &x + ==> i == j) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + Seq::::concat_contains(); + proof_assert! { forall ab.len() <= i && ab.concat(bc).get(i) == Some(x) ==> bc.contains(x) }; + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] }; + } +} diff --git a/creusot-contracts/src/std/default.rs b/creusot-contracts/src/std/default.rs index b1770f27ab..a96b6e45d1 100644 --- a/creusot-contracts/src/std/default.rs +++ b/creusot-contracts/src/std/default.rs @@ -24,3 +24,13 @@ impl Default for bool { pearlite! { self == false } } } + +// `RandomState::default()` is defined as `RandomState::new()` +// which produces random values. +impl Default for std::hash::RandomState { + #[predicate] + #[open] + fn is_default(self) -> bool { + pearlite! { true } + } +} diff --git a/creusot/tests/creusot-contracts/creusot-contracts.coma b/creusot/tests/creusot-contracts/creusot-contracts.coma index 95709096a5..e044913d3e 100644 --- a/creusot/tests/creusot-contracts/creusot-contracts.coma +++ b/creusot/tests/creusot-contracts/creusot-contracts.coma @@ -92,2802 +92,3531 @@ module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_ goal vc_produces_trans'0 : ([%#sarray1] produces'0 b bc c) -> ([%#sarray0] produces'0 a ab b) -> ([%#sarray2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_le_log [#"../../../creusot-contracts/src/std/cmp.rs" 88 4 88 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 87 14 87 64 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 85 4 85 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 78 4 78 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 77 14 77 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 75 4 75 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_T'0 + use seq.Seq - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + use prelude.prelude.Borrow - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_K'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + type t_V'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use prelude.prelude.UInt16 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.UIntSize - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_FMap'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_Iter'0) : t_FMap'0 + - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Int - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 + [%#sfmap7] Map.get (view'1 self) k + + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x end - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) + + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + [%#sseq6] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - constant x : t_Reverse'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - constant y : t_Reverse'0 + constant self : t_Iter'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 88 4 88 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 78 4 78 26] (self : t_Iter'0) : () - goal vc_cmp_le_log'0 : [%#scmp0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_lt_log [#"../../../creusot-contracts/src/std/cmp.rs" 93 4 93 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 92 14 92 61 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 90 4 90 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 85 4 85 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 82 15 82 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 83 15 83 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 84 14 84 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 86 24 86 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 86 8 86 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_T'0 + use prelude.prelude.UInt16 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Borrow - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_K'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_V'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_FMap'0 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_Iter'0) : t_FMap'0 + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + [%#sfmap10] Map.get (view'1 self) k - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = - [%#sord2] cmp_log'0 self o = C_Less'0 + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - constant x : t_Reverse'0 + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - constant y : t_Reverse'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq9] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 93 4 93 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - goal vc_cmp_lt_log'0 : [%#scmp0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_ge_log [#"../../../creusot-contracts/src/std/cmp.rs" 98 4 98 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 97 14 97 61 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 95 4 95 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use seq.Seq - type t_T'0 + constant a : t_Iter'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + constant ab : Seq.seq (t_K'0, t_V'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + constant b : t_Iter'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + constant bc : Seq.seq (t_K'0, t_V'0) + + constant c : t_Iter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 85 4 85 90] (a : t_Iter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_Iter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_Iter'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 129 4 129 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 128 14 128 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 126 4 126 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_K'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + type t_V'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.UInt16 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Opaque - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.UIntSize - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_FMap'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 96 4 96 33] (self : t_IntoIter'0) : t_FMap'0 + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 + + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + + = + [%#sfmap7] Map.get (view'1 self) k + + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x end - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) + + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 = - [%#sord2] cmp_log'0 self o <> C_Less'0 + [%#sseq6] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - constant x : t_Reverse'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 104 4 104 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - constant y : t_Reverse'0 + constant self : t_IntoIter'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 98 4 98 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 129 4 129 26] (self : t_IntoIter'0) : () - goal vc_cmp_ge_log'0 : [%#scmp0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_gt_log [#"../../../creusot-contracts/src/std/cmp.rs" 103 4 103 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 102 14 102 64 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 100 4 100 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 136 4 136 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 133 15 133 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 134 15 134 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 135 14 135 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 137 24 137 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 137 8 137 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_T'0 + use prelude.prelude.UInt16 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_K'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_V'0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_FMap'0 - axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 96 4 96 33] (self : t_IntoIter'0) : t_FMap'0 + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + [%#sfmap10] Map.get (view'1 self) k - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = - [%#sord2] cmp_log'0 self o = C_Greater'0 + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - constant x : t_Reverse'0 + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - constant y : t_Reverse'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq9] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 103 4 103 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 104 4 104 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - goal vc_cmp_gt_log'0 : [%#scmp0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__refl [#"../../../creusot-contracts/src/std/cmp.rs" 108 4 108 20] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 107 14 107 45 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 105 4 105 10 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use seq.Seq - type t_T'0 + constant a : t_IntoIter'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + constant ab : Seq.seq (t_K'0, t_V'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + constant b : t_IntoIter'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + constant bc : Seq.seq (t_K'0, t_V'0) + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 136 4 136 90] (a : t_IntoIter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_IntoIter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_IntoIter'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 179 14 179 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 177 4 177 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + type t_K'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_V'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.UInt16 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.Opaque - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.UIntSize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_FMap'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 147 4 147 33] (self : t_IterMut'0) : t_FMap'0 + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) = - [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - constant x : t_Reverse'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - function refl'0 [#"../../../creusot-contracts/src/std/cmp.rs" 108 4 108 20] (x : t_Reverse'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) - goal vc_refl'0 : [%#scmp0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__trans [#"../../../creusot-contracts/src/std/cmp.rs" 115 4 115 52] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 112 15 112 32 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 113 15 113 32 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 114 14 114 31 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 110 4 110 10 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 - - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } - - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use map.Map - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use map.Map - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + + = + [%#sfmap7] Map.get (view'1 self) k - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, borrowed t_V'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'2 + = + [%#sseq6] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 155 4 155 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'1 visited i1 + = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant self : t_IterMut'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 26] (self : t_IterMut'0) : () + - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 187 4 187 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 184 15 184 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 185 15 185 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 186 14 186 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 188 24 188 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 188 8 188 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UInt16 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use prelude.prelude.UIntSize - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp4] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + use prelude.prelude.Borrow - constant x : t_Reverse'0 + type t_K'0 - constant y : t_Reverse'0 + type t_V'0 - constant z : t_Reverse'0 + use seq.Seq - constant o : t_Ordering'0 + type t_FMap'0 - function trans'0 [#"../../../creusot-contracts/src/std/cmp.rs" 115 4 115 52] (x : t_Reverse'0) (y : t_Reverse'0) (z : t_Reverse'0) (o : t_Ordering'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 147 4 147 33] (self : t_IterMut'0) : t_FMap'0 - goal vc_trans'0 : ([%#scmp1] cmp_log'0 y z = o) -> ([%#scmp0] cmp_log'0 x y = o) -> ([%#scmp2] cmp_log'0 x z = o) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym1 [#"../../../creusot-contracts/src/std/cmp.rs" 121 4 121 33] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 119 15 119 45 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 120 14 120 47 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 117 4 117 10 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Int - type t_T'0 + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use map.Map - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use map.Map - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + = + [%#sfmap10] Map.get (view'1 self) k - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, borrowed t_V'0) - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq9] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 155 4 155 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'1 visited i1 + = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + constant a : t_IterMut'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + constant ab : Seq.seq (t_K'0, borrowed t_V'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + constant b : t_IterMut'0 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + constant bc : Seq.seq (t_K'0, borrowed t_V'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + constant c : t_IterMut'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 187 4 187 90] (a : t_IterMut'0) (ab : Seq.seq (t_K'0, borrowed t_V'0)) (b : t_IterMut'0) (bc : Seq.seq (t_K'0, borrowed t_V'0)) (c : t_IterMut'0) : () + - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 75 4 75 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 74 14 74 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 4 72 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_T'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + use seq.Seq - constant x : t_Reverse'0 + use prelude.prelude.UInt16 - constant y : t_Reverse'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function antisym1'0 [#"../../../creusot-contracts/src/std/cmp.rs" 121 4 121 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - goal vc_antisym1'0 : ([%#scmp0] cmp_log'0 x y = C_Less'0) -> ([%#scmp1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym2 [#"../../../creusot-contracts/src/std/cmp.rs" 127 4 127 33] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 125 15 125 48 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 126 14 126 44 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 123 4 123 10 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Opaque - type t_T'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use set.Fset - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_Iter'0) : Fset.fset t_T'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use set.Fset - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.Int - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use set.Fset - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset3] Fset.mem e self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 54 4 54 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#shash_set2] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + constant self : t_Iter'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 75 4 75 26] (self : t_Iter'0) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 82 4 82 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 79 15 79 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 80 15 80 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 14 81 42 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 84 24 84 121 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 85 24 85 102 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 83 8 83 44 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span sseq8 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfset11 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UInt16 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - constant x : t_Reverse'0 + use prelude.prelude.Opaque - constant y : t_Reverse'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/std/cmp.rs" 127 4 127 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - goal vc_antisym2'0 : ([%#scmp0] cmp_log'0 x y = C_Greater'0) -> ([%#scmp1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__eq_cmp [#"../../../creusot-contracts/src/std/cmp.rs" 132 4 132 31] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 131 14 131 59 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 129 4 129 10 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - type t_T'0 + use prelude.prelude.UIntSize - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + type t_T'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + use set.Fset - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_Iter'0) : Fset.fset t_T'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use set.Fset - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.Int - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use set.Fset - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate contains'1 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset11] Fset.mem e self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 54 4 54 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#shash_set7] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'1 (view'0 self) x -> contains'0 visited x \/ contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 visited x -> contains'1 (view'0 self) x /\ not contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 (view'0 o) x -> contains'1 (view'0 self) x /\ not contains'0 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use seq.Seq - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq8] () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom concat_contains'0_spec : forall _1 : () . [%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function get'0 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq t_T'0) (ix : int) : t_Option'0 + + = + [%#sseq10] if 0 <= ix /\ ix < Seq.length self then C_Some'0 (Seq.get self ix) else C_None'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + constant a : t_Iter'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + constant ab : Seq.seq t_T'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + constant b : t_Iter'0 - constant x : t_Reverse'0 + constant bc : Seq.seq t_T'0 - constant y : t_Reverse'0 + constant c : t_Iter'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/std/cmp.rs" 132 4 132 31] (x : t_Reverse'0) (y : t_Reverse'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 82 4 82 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + - goal vc_eq_cmp'0 : [%#scmp0] (x = y) = (cmp_log'0 x y = C_Equal'0) + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> ([%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x = contains'0 a x + \/ contains'0 b x) + -> (let _ = concat_contains'0 () in ([%#shash_set4] forall i : int, x : t_T'0 . Seq.length ab <= i + /\ get'0 (Seq.(++) ab bc) i = C_Some'0 x -> contains'0 bc x) + && (let _ = () in let _ = () in ([%#shash_set5] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in let _ = () in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c))) end -module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_refl [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (* as std::iter::Iterator> *) - let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 177 14 177 45 - let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 175 4 175 10 - let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 124 4 124 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 123 14 123 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 121 4 121 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 use seq.Seq - use prelude.prelude.Borrow - type t_T'0 use seq.Seq - use prelude.prelude.Opaque + use prelude.prelude.UInt16 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Iter'1 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - type t_Iter'0 = - { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } + use prelude.prelude.Opaque - use prelude.prelude.Slice + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - use seq.Seq + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - use seq.Seq + use prelude.prelude.UIntSize - use seq.Seq + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - use prelude.prelude.UIntSize + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - use prelude.prelude.UIntSize + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - use prelude.prelude.Int + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - use prelude.prelude.Slice + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice8] view'2 self = Slice.id self) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel5] view'2 self + use set.Fset - use seq.Seq + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 95 4 95 33] (self : t_IntoIter'0) : Fset.fset t_T'0 + + + use set.Fset use seq.Seq - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex6] Seq.get (view'2 self) ix + use prelude.prelude.Int - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 + use set.Fset - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset3] Fset.mem e self use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 103 4 103 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = - [%#sdeque2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) + [%#shash_set2] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - constant self : t_Iter'0 + constant self : t_IntoIter'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (self : t_Iter'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 124 4 124 26] (self : t_IntoIter'0) : () + - goal vc_produces_refl'0 : [%#sdeque0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_trans [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (* as std::iter::Iterator> *) - let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 182 15 182 32 - let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 183 15 183 32 - let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 184 14 184 42 - let%span sdeque3 = "../../../creusot-contracts/src/std/deque.rs" 180 4 180 10 - let%span sdeque4 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 131 4 131 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 128 15 128 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 15 129 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 130 14 130 42 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 133 24 133 121 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 134 24 134 102 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 132 8 132 44 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span sseq8 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfset11 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } use prelude.prelude.Opaque + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + use prelude.prelude.UIntSize + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + type t_NonNull'0 = { t_NonNull__pointer'0: opaque_ptr } - type t_Iter'1 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - type t_Iter'0 = - { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } + type t_Option'1 = + | C_None'1 + | C_Some'1 (t_NonNull'0, t_Layout'0, ()) - use prelude.prelude.Borrow + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'1; t_RawIntoIter__marker'0: () } + + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } type t_T'0 use seq.Seq - use prelude.prelude.Slice + use set.Fset - function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 95 4 95 33] (self : t_IntoIter'0) : Fset.fset t_T'0 + - use seq.Seq + use set.Fset use seq.Seq - use seq.Seq + use prelude.prelude.Int - use prelude.prelude.UIntSize + use set.Fset - constant v_MAX'0 : usize = (18446744073709551615 : usize) + predicate contains'1 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset11] Fset.mem e self - use prelude.prelude.UIntSize + use seq.Seq - use prelude.prelude.Int + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - use prelude.prelude.Slice + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 103 4 103 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#shash_set7] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'1 (view'0 self) x -> contains'0 visited x \/ contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 visited x -> contains'1 (view'0 self) x /\ not contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 (view'0 o) x -> contains'1 (view'0 self) x /\ not contains'0 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + use seq.Seq - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice10] view'2 self = Slice.id self) - - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel7] view'2 self - - use seq.Seq - - use seq.Seq - - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex8] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq8] () - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + axiom concat_contains'0_spec : forall _1 : () . [%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function get'0 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq t_T'0) (ix : int) : t_Option'0 = - [%#sdeque4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) + [%#sseq10] if 0 <= ix /\ ix < Seq.length self then C_Some'0 (Seq.get self ix) else C_None'0 - constant a : t_Iter'0 + constant a : t_IntoIter'0 constant ab : Seq.seq t_T'0 - constant b : t_Iter'0 + constant b : t_IntoIter'0 constant bc : Seq.seq t_T'0 - constant c : t_Iter'0 + constant c : t_IntoIter'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 131 4 131 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - goal vc_produces_trans'0 : ([%#sdeque1] produces'0 b bc c) - -> ([%#sdeque0] produces'0 a ab b) -> ([%#sdeque2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> ([%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x = contains'0 a x + \/ contains'0 b x) + -> (let _ = concat_contains'0 () in ([%#shash_set4] forall i : int, x : t_T'0 . Seq.length ab <= i + /\ get'0 (Seq.(++) ab bc) i = C_Some'0 x -> contains'0 bc x) + && (let _ = () in let _ = () in ([%#shash_set5] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in let _ = () in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c))) end -module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_refl [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (* as std::iter::Iterator> *) - let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 57 14 57 45 - let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 55 4 55 10 - let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 - let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 209 4 209 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 208 14 208 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 206 4 206 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 use seq.Seq + use prelude.prelude.Borrow + type t_T'0 use seq.Seq - type t_I'0 + use prelude.prelude.UInt16 - type t_Cloned'0 = - { t_Cloned__it'0: t_I'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - use prelude.prelude.Borrow + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - use seq.Seq + use prelude.prelude.Opaque - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x - = match x with - | {t_Cloned__it'0 = it} -> inv'1 it - end + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + use prelude.prelude.UIntSize - axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned3] inv'0 self -> inv'1 (iter'0 self) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - use seq.Seq + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - use seq.Seq + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + type t_S'0 - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - use seq.Seq + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 180 4 180 33] (self : t_Intersection'0) : Fset.fset t_T'0 + + + use set.Fset use seq.Seq use prelude.prelude.Int - use seq.Seq + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset3] Fset.mem e self use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 188 4 188 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = - [%#scloned2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [%#shash_set2] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - constant self : t_Cloned'0 + constant self : t_Intersection'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (self : t_Cloned'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 209 4 209 26] (self : t_Intersection'0) : () + - goal vc_produces_refl'0 : [%#scloned0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_trans [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (* as std::iter::Iterator> *) - let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 62 15 62 32 - let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 63 15 63 32 - let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 64 14 64 42 - let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 60 4 60 10 - let%span scloned4 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 - let%span scloned5 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 213 15 213 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 214 15 214 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 215 14 215 42 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 218 24 218 121 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 219 24 219 102 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 217 8 217 44 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sseq8 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfset11 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 - type t_I'0 + use prelude.prelude.UInt16 - type t_Cloned'0 = - { t_Cloned__it'0: t_I'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_T'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - use seq.Seq + use prelude.prelude.Opaque - use prelude.prelude.Borrow + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - use seq.Seq + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) + use prelude.prelude.UIntSize - axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x - = match x with - | {t_Cloned__it'0 = it} -> inv'1 it - end + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned5] inv'0 self -> inv'1 (iter'0 self) + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - use seq.Seq + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - use seq.Seq + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + use prelude.prelude.Borrow - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + type t_S'0 - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + type t_T'0 use seq.Seq + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 180 4 180 33] (self : t_Intersection'0) : Fset.fset t_T'0 + + + use set.Fset + use seq.Seq use prelude.prelude.Int - use seq.Seq + use set.Fset + + predicate contains'1 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset11] Fset.mem e self use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 188 4 188 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = - [%#scloned4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [%#shash_set7] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'1 (view'0 self) x -> contains'0 visited x \/ contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 visited x -> contains'1 (view'0 self) x /\ not contains'1 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 (view'0 o) x -> contains'1 (view'0 self) x /\ not contains'0 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) use seq.Seq - constant a : t_Cloned'0 + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq8] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + function get'0 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq t_T'0) (ix : int) : t_Option'0 + + = + [%#sseq10] if 0 <= ix /\ ix < Seq.length self then C_Some'0 (Seq.get self ix) else C_None'0 + + constant a : t_Intersection'0 constant ab : Seq.seq t_T'0 - constant b : t_Cloned'0 + constant b : t_Intersection'0 constant bc : Seq.seq t_T'0 - constant c : t_Cloned'0 + constant c : t_Intersection'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (a : t_Cloned'0) (ab : Seq.seq t_T'0) (b : t_Cloned'0) (bc : Seq.seq t_T'0) (c : t_Cloned'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 90] (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () - goal vc_produces_trans'0 : ([%#scloned1] produces'0 b bc c) - -> ([%#scloned0] produces'0 a ab b) -> ([%#scloned2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> ([%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x = contains'0 a x + \/ contains'0 b x) + -> (let _ = concat_contains'0 () in ([%#shash_set4] forall i : int, x : t_T'0 . Seq.length ab <= i + /\ get'0 (Seq.(++) ab bc) i = C_Some'0 x -> contains'0 bc x) + && (let _ = () in let _ = () in ([%#shash_set5] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in let _ = () in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c))) end -module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_refl [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (* as std::iter::Iterator> *) - let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 - let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 55 4 55 10 - let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 - let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_le_log [#"../../../creusot-contracts/src/std/cmp.rs" 88 4 88 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 87 14 87 64 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 85 4 85 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - type t_I'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_Copied'0 = - { t_Copied__it'0: t_I'0 } + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - use prelude.prelude.Borrow + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x - = match x with - | {t_Copied__it'0 = it} -> inv'1 it - end + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied3] inv'0 self -> inv'1 (iter'0 self) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use prelude.prelude.Int + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 = - [%#scopied2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - constant self : t_Copied'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Greater'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (self : t_Copied'0) : () + constant x : t_Reverse'0 - goal vc_produces_refl'0 : [%#scopied0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_trans [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (* as std::iter::Iterator> *) - let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 - let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 - let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 - let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 60 4 60 10 - let%span scopied4 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 - let%span scopied5 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + constant y : t_Reverse'0 - type t_I'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 88 4 88 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - type t_Copied'0 = - { t_Copied__it'0: t_I'0 } + goal vc_cmp_le_log'0 : [%#scmp0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_lt_log [#"../../../creusot-contracts/src/std/cmp.rs" 93 4 93 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 92 14 92 61 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 90 4 90 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 type t_T'0 - use seq.Seq - - use prelude.prelude.Borrow + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x - = match x with - | {t_Copied__it'0 = it} -> inv'1 it - end + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'0 self -> inv'1 (iter'0 self) + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use seq.Seq + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) - - = - [%#scopied4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - constant a : t_Copied'0 + axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - constant ab : Seq.seq t_T'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - constant b : t_Copied'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - constant bc : Seq.seq t_T'0 + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - constant c : t_Copied'0 + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + = + [%#sord2] cmp_log'0 self o = C_Less'0 - goal vc_produces_trans'0 : ([%#scopied1] produces'0 b bc c) - -> ([%#scopied0] produces'0 a ab b) -> ([%#scopied2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_refl [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (* as std::iter::Iterator> *) - let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 18 14 18 45 - let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 16 4 16 10 - let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 93 4 93 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + + + goal vc_cmp_lt_log'0 : [%#scmp0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_ge_log [#"../../../creusot-contracts/src/std/cmp.rs" 98 4 98 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 97 14 97 61 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 95 4 95 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - type t_Empty'0 = - { t_Empty__0'0: () } + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - = - [%#sempty2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - constant self : t_Empty'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (self : t_Empty'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - goal vc_produces_refl'0 : [%#sempty0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_trans [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (* as std::iter::Iterator> *) - let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 23 15 23 32 - let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 24 15 24 32 - let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 25 14 25 42 - let%span sempty3 = "../../../creusot-contracts/src/std/iter/empty.rs" 21 4 21 10 - let%span sempty4 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_Empty'0 = - { t_Empty__0'0: () } + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - type t_T'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use seq.Seq + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - = - [%#sempty4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant a : t_Empty'0 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - constant ab : Seq.seq t_T'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - constant b : t_Empty'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - constant bc : Seq.seq t_T'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - constant c : t_Empty'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (a : t_Empty'0) (ab : Seq.seq t_T'0) (b : t_Empty'0) (bc : Seq.seq t_T'0) (c : t_Empty'0) : () - + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - goal vc_produces_trans'0 : ([%#sempty1] produces'0 b bc c) - -> ([%#sempty0] produces'0 a ab b) -> ([%#sempty2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_refl [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (* as std::iter::Iterator> *) - let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 82 14 82 45 - let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 80 4 80 10 - let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 - let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span senumerate8 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - use prelude.prelude.UIntSize + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - type t_Item'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - type t_I'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - type t_Enumerate'0 = - { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - use prelude.prelude.Int + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Less'0 - use seq.Seq + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 98 4 98 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + goal vc_cmp_ge_log'0 : [%#scmp0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_gt_log [#"../../../creusot-contracts/src/std/cmp.rs" 103 4 103 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 102 14 102 64 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 100 4 100 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - use seq.Seq + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.UIntSize + axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.Borrow + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate3] inv'0 self -> inv'1 (iter'0 self) + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = - [%#senumerate8] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i - -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) - /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter - end) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool = - [%#senumerate2] Seq.length visited = n'0 o - n'0 self - /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i - /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) + [%#sord2] cmp_log'0 self o = C_Greater'0 - constant self : t_Enumerate'0 + constant x : t_Reverse'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (self : t_Enumerate'0) : () + constant y : t_Reverse'0 + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 103 4 103 35] (x : t_Reverse'0) (y : t_Reverse'0) : () - goal vc_produces_refl'0 : [%#senumerate0] produces'0 self (Seq.empty : Seq.seq (usize, t_Item'0)) self + goal vc_cmp_gt_log'0 : [%#scmp0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_trans [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (* as std::iter::Iterator> *) - let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 87 15 87 32 - let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 88 15 88 32 - let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 89 14 89 42 - let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 85 4 85 10 - let%span senumerate4 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 - let%span senumerate5 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span senumerate10 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 - - type t_I'0 +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__refl [#"../../../creusot-contracts/src/std/cmp.rs" 108 4 108 20] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 107 14 107 45 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 105 4 105 10 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.UIntSize + type t_T'0 - type t_Enumerate'0 = - { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - type t_Item'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - use seq.Seq + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - use seq.Seq + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - constant v_MAX'0 : usize = (18446744073709551615 : usize) + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.UIntSize + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use prelude.prelude.Borrow + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate5] inv'0 self -> inv'1 (iter'0 self) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = - [%#senumerate10] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i - -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) - /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter - end) + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - use seq.Seq + constant x : t_Reverse'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + function refl'0 [#"../../../creusot-contracts/src/std/cmp.rs" 108 4 108 20] (x : t_Reverse'0) : () + + goal vc_refl'0 : [%#scmp0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__trans [#"../../../creusot-contracts/src/std/cmp.rs" 115 4 115 52] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 112 15 112 32 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 113 15 113 32 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 114 14 114 31 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 110 4 110 10 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - = - [%#senumerate4] Seq.length visited = n'0 o - n'0 self - /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i - /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) - use seq.Seq + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - constant a : t_Enumerate'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant ab : Seq.seq (usize, t_Item'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - constant b : t_Enumerate'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) - constant bc : Seq.seq (usize, t_Item'0) + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - constant c : t_Enumerate'0 + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (a : t_Enumerate'0) (ab : Seq.seq (usize, t_Item'0)) (b : t_Enumerate'0) (bc : Seq.seq (usize, t_Item'0)) (c : t_Enumerate'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - goal vc_produces_trans'0 : ([%#senumerate1] produces'0 b bc c) - -> ([%#senumerate0] produces'0 a ab b) -> ([%#senumerate2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_refl [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (* as std::iter::Iterator> *) - let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 105 14 105 45 - let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 103 4 103 10 - let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 - let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 - let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 - let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_Item'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - type t_I'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - type t_F'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_Filter'0 = - { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use prelude.prelude.Borrow + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () - + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops12] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp4] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops9] unnest'0 self b) - -> ([%#sops10] unnest'0 b c) -> ([%#sops11] unnest'0 self c) + constant x : t_Reverse'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + constant y : t_Reverse'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops8] unnest'0 self self + constant z : t_Reverse'0 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/std/cmp.rs" 115 4 115 52] (x : t_Reverse'0) (y : t_Reverse'0) (z : t_Reverse'0) (o : t_Ordering'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops6] postcondition_mut'0 self args res_state res) - -> ([%#sops7] unnest'0 self res_state) + goal vc_trans'0 : ([%#scmp1] cmp_log'0 y z = o) -> ([%#scmp0] cmp_log'0 x y = o) -> ([%#scmp2] cmp_log'0 x z = o) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym1 [#"../../../creusot-contracts/src/std/cmp.rs" 121 4 121 33] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 119 15 119 45 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 120 14 120 47 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 117 4 117 10 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = - [%#sfilter3] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) - /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) - /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true - /\ postcondition_mut'0 f1 (i) f2 false)) + type t_T'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' - end) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter4] inv'0 self -> inv'1 (func'0 self) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use map.Map + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter5] inv'0 self -> inv'2 (iter'0 self) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter14] produces'1 a ab b) - -> ([%#siter15] produces'1 b bc c) -> ([%#siter16] produces'1 a (Seq.(++) ab bc) c) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter13] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use seq.Seq + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use map.Map + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) - - = - [%#sfilter2] invariant'0 self - -> unnest'0 (func'0 self) (func'0 succ) - /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited - -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) - = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - constant self : t_Filter'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (self : t_Filter'0) : () + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - goal vc_produces_refl'0 : [%#sfilter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_trans [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (* as std::iter::Iterator> *) - let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 110 15 110 32 - let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 111 15 111 32 - let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 112 14 112 42 - let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 108 4 108 10 - let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 - let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 - let%span sfilter6 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 - let%span sfilter7 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - type t_I'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - type t_F'0 + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - type t_Filter'0 = - { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - type t_Item'0 + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use prelude.prelude.Borrow + function antisym1'0 [#"../../../creusot-contracts/src/std/cmp.rs" 121 4 121 33] (x : t_Reverse'0) (y : t_Reverse'0) : () + - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + goal vc_antisym1'0 : ([%#scmp0] cmp_log'0 x y = C_Less'0) -> ([%#scmp1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym2 [#"../../../creusot-contracts/src/std/cmp.rs" 127 4 127 33] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 125 15 125 48 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 126 14 126 44 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 123 4 123 10 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - + type t_T'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops14] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops11] unnest'0 self b) - -> ([%#sops12] unnest'0 b c) -> ([%#sops13] unnest'0 self c) + axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops10] unnest'0 self self + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops8] postcondition_mut'0 self args res_state res) - -> ([%#sops9] unnest'0 self res_state) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = - [%#sfilter5] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) - /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) - /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true - /\ postcondition_mut'0 f1 (i) f2 false)) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' - end) + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter6] inv'0 self -> inv'1 (func'0 self) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use map.Map + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter7] inv'0 self -> inv'2 (iter'0 self) + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use seq.Seq + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) - -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) + constant x : t_Reverse'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + constant y : t_Reverse'0 - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function antisym2'0 [#"../../../creusot-contracts/src/std/cmp.rs" 127 4 127 33] (x : t_Reverse'0) (y : t_Reverse'0) : () + - use seq.Seq + goal vc_antisym2'0 : ([%#scmp0] cmp_log'0 x y = C_Greater'0) -> ([%#scmp1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__eq_cmp [#"../../../creusot-contracts/src/std/cmp.rs" 132 4 132 31] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 131 14 131 59 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 129 4 129 10 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 78 8 82 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use map.Map + type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - = - [%#sfilter4] invariant'0 self - -> unnest'0 (func'0 self) (func'0 succ) - /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited - -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) - = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - constant a : t_Filter'0 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - constant ab : Seq.seq t_Item'0 + axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant b : t_Filter'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - constant bc : Seq.seq t_Item'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - constant c : t_Filter'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (a : t_Filter'0) (ab : Seq.seq t_Item'0) (b : t_Filter'0) (bc : Seq.seq t_Item'0) (c : t_Filter'0) : () + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - goal vc_produces_trans'0 : ([%#sfilter1] produces'0 b bc c) - -> ([%#sfilter0] produces'0 a ab b) -> ([%#sfilter2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_refl [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (* as std::iter::Iterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_Item'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - type t_I'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse3] inv'0 self -> inv'1 (view'0 self)) - && ([%#sfuse4] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 77 4 77 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + constant x : t_Reverse'0 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + constant y : t_Reverse'0 - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/std/cmp.rs" 132 4 132 31] (x : t_Reverse'0) (y : t_Reverse'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + goal vc_eq_cmp'0 : [%#scmp0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_refl [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (* as std::iter::Iterator> *) + let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 177 14 177 45 + let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 175 4 175 10 + let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) - - = - [%#sfuse2] match view'0 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self - | C_Some'0 i -> match view'0 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end + use seq.Seq - constant self : t_Fuse'0 + use prelude.prelude.Borrow - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () + type t_T'0 - goal vc_produces_refl'0 : [%#sfuse0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_trans [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (* as std::iter::Iterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + use seq.Seq - type t_I'0 + use prelude.prelude.Opaque - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + type t_Iter'1 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - type t_Item'0 + type t_Iter'0 = + { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } + + use prelude.prelude.Slice + + function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 use seq.Seq use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.UIntSize - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + constant v_MAX'0 : usize = (18446744073709551615 : usize) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + use prelude.prelude.UIntSize - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + use prelude.prelude.Int - function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + use prelude.prelude.Slice - axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse5] inv'0 self -> inv'1 (view'0 self)) - && ([%#sfuse6] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice8] view'2 self = Slice.id self) + + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel5] view'2 self use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use seq.Seq - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + = + [%#sindex6] Seq.get (view'2 self) ix - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#sfuse4] match view'0 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self - | C_Some'0 i -> match view'0 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end + [%#sdeque2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant a : t_Fuse'0 + constant self : t_Iter'0 - constant ab : Seq.seq t_Item'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (self : t_Iter'0) : () - constant b : t_Fuse'0 + goal vc_produces_refl'0 : [%#sdeque0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_trans [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (* as std::iter::Iterator> *) + let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 182 15 182 32 + let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 183 15 183 32 + let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 184 14 184 42 + let%span sdeque3 = "../../../creusot-contracts/src/std/deque.rs" 180 4 180 10 + let%span sdeque4 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - constant bc : Seq.seq t_Item'0 + use prelude.prelude.Opaque - constant c : t_Fuse'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () - + type t_Iter'1 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - goal vc_produces_trans'0 : ([%#sfuse1] produces'0 b bc c) - -> ([%#sfuse0] produces'0 a ab b) -> ([%#sfuse2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi7691061398646472980__is_fused [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (* as std::iter::fuse::FusedIterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 63 15 63 31 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 64 15 64 44 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 65 14 65 50 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 61 4 61 10 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 20 12 21 28 - let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 - let%span sfuse7 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 - let%span sfuse8 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 - let%span sfuse9 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 - let%span sfuse10 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 - let%span sfuse11 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 - let%span smodel12 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sfuse13 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse14 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + type t_Iter'0 = + { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } - type t_I'0 + use prelude.prelude.Borrow - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + type t_T'0 - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + use seq.Seq - type t_Item'0 + use prelude.prelude.Slice + + function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 use seq.Seq use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.UIntSize - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + constant v_MAX'0 : usize = (18446744073709551615 : usize) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + use prelude.prelude.UIntSize - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + use prelude.prelude.Int - function view'1 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + use prelude.prelude.Slice - axiom view'1_spec : forall self : t_Fuse'0 . ([%#sfuse13] inv'0 self -> inv'1 (view'1 self)) - && ([%#sfuse14] forall other : t_Fuse'0 . view'1 self = view'1 other -> self = other) + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice10] view'2 self = Slice.id self) + + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel7] view'2 self use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use seq.Seq - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + = + [%#sindex8] Seq.get (view'2 self) ix - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) - -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#sfuse5] match view'1 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'1 other = view'1 self - | C_Some'0 i -> match view'1 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end - - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () - - = - [%#sfuse11] () - - axiom produces_trans'0_spec : forall a : t_Fuse'0, ab : Seq.seq t_Item'0, b : t_Fuse'0, bc : Seq.seq t_Item'0, c : t_Fuse'0 . ([%#sfuse8] produces'0 a ab b) - -> ([%#sfuse9] produces'0 b bc c) -> ([%#sfuse10] produces'0 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () = - [%#sfuse7] () - - axiom produces_refl'0_spec : forall self : t_Fuse'0 . [%#sfuse6] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Borrow - - function view'0 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (t_Fuse'0)) : t_Option'0 = - [%#smodel12] view'1 self.current + [%#sdeque4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + constant a : t_Iter'0 - predicate completed'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 18 4 18 35] (self : borrowed (t_Fuse'0)) = - [%#sfuse4] (view'0 self = C_None'0 - \/ (exists it : borrowed t_I'0 . completed'1 it /\ view'0 self = C_Some'0 (it.current))) - /\ view'1 self.final = C_None'0 + constant ab : Seq.seq t_T'0 - constant self : borrowed (t_Fuse'0) + constant b : t_Iter'0 - constant steps : Seq.seq t_Item'0 + constant bc : Seq.seq t_T'0 - constant next : t_Fuse'0 + constant c : t_Iter'0 - function is_fused'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (self : borrowed (t_Fuse'0)) (steps : Seq.seq t_Item'0) (next : t_Fuse'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - goal vc_is_fused'0 : ([%#sfuse1] produces'0 self.final steps next) - -> ([%#sfuse0] completed'0 self) -> ([%#sfuse2] steps = (Seq.empty : Seq.seq t_Item'0) /\ self.final = next) + goal vc_produces_trans'0 : ([%#sdeque1] produces'0 b bc c) + -> ([%#sdeque0] produces'0 a ab b) -> ([%#sdeque2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_refl [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (* as std::iter::Iterator> *) - let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 80 14 80 45 - let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 78 4 78 10 - let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 - let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 - let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_refl [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (* as std::iter::Iterator> *) + let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 57 14 57 45 + let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 55 4 55 10 + let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 + let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - type t_B'0 + type t_T'0 use seq.Seq type t_I'0 - type t_F'0 + type t_Cloned'0 = + { t_Cloned__it'0: t_I'0 } - type t_Map'0 = - { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + use prelude.prelude.Borrow - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x + axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x = match x with - | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f + | {t_Cloned__it'0 = it} -> inv'1 it end - function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 + function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 - axiom func'0_spec : forall self : t_Map'0 . [%#smap3] inv'0 self -> inv'1 (func'0 self) + axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned3] inv'0 self -> inv'1 (iter'0 self) - type t_Item'0 + use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - use prelude.prelude.Borrow + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) - + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops11] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + use seq.Seq - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + use seq.Seq - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + = + [%#scloned2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) - -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) + constant self : t_Cloned'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (self : t_Cloned'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + goal vc_produces_refl'0 : [%#scloned0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_trans [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (* as std::iter::Iterator> *) + let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 62 15 62 32 + let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 63 15 63 32 + let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 64 14 64 42 + let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 60 4 60 10 + let%span scloned4 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 + let%span scloned5 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - + type t_I'0 - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) - -> ([%#sops6] unnest'0 self res_state) + type t_Cloned'0 = + { t_Cloned__it'0: t_I'0 } - use seq.Seq + type t_T'0 use seq.Seq - use seq.Seq + use prelude.prelude.Borrow use seq.Seq - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) - axiom iter'0_spec : forall self : t_Map'0 . [%#smap4] inv'0 self -> inv'2 (iter'0 self) + axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x + = match x with + | {t_Cloned__it'0 = it} -> inv'1 it + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned5] inv'0 self -> inv'1 (iter'0 self) use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) - -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use prelude.prelude.Int + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self use seq.Seq use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + use prelude.prelude.Int use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) = - [%#smap2] unnest'0 (func'0 self) (func'0 succ) - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited - /\ produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - func'0 self = func'0 succ - else - (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 (func'0 self) (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) + [%#scloned4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - constant self : t_Map'0 + use seq.Seq - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (self : t_Map'0) : () + constant a : t_Cloned'0 - goal vc_produces_refl'0 : [%#smap0] produces'0 self (Seq.empty : Seq.seq t_B'0) self -end -module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_trans [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (* as std::iter::Iterator> *) - let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 85 15 85 32 - let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 86 15 86 32 - let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 87 14 87 42 - let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 83 4 83 10 - let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 - let%span smap5 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 - let%span smap6 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + constant ab : Seq.seq t_T'0 - type t_I'0 + constant b : t_Cloned'0 - type t_F'0 + constant bc : Seq.seq t_T'0 - type t_Map'0 = - { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + constant c : t_Cloned'0 - type t_B'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (a : t_Cloned'0) (ab : Seq.seq t_T'0) (b : t_Cloned'0) (bc : Seq.seq t_T'0) (c : t_Cloned'0) : () + + + goal vc_produces_trans'0 : ([%#scloned1] produces'0 b bc c) + -> ([%#scloned0] produces'0 a ab b) -> ([%#scloned2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_refl [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (* as std::iter::Iterator> *) + let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 + let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 55 4 55 10 + let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_T'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + type t_I'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x + type t_Copied'0 = + { t_Copied__it'0: t_I'0 } + + use prelude.prelude.Borrow + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x = match x with - | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f + | {t_Copied__it'0 = it} -> inv'1 it end - function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 + function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 - axiom func'0_spec : forall self : t_Map'0 . [%#smap5] inv'0 self -> inv'1 (func'0 self) + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied3] inv'0 self -> inv'1 (iter'0 self) - type t_Item'0 + use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - use prelude.prelude.Borrow + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) - + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops13] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + use seq.Seq - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + use seq.Seq - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + = + [%#scopied2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops10] unnest'0 self b) - -> ([%#sops11] unnest'0 b c) -> ([%#sops12] unnest'0 self c) + constant self : t_Copied'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (self : t_Copied'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops9] unnest'0 self self + goal vc_produces_refl'0 : [%#scopied0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_trans [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (* as std::iter::Iterator> *) + let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 + let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 + let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 + let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 60 4 60 10 + let%span scopied4 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span scopied5 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - + type t_I'0 - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops7] postcondition_mut'0 self args res_state res) - -> ([%#sops8] unnest'0 self res_state) + type t_Copied'0 = + { t_Copied__it'0: t_I'0 } - use seq.Seq + type t_T'0 use seq.Seq - use seq.Seq + use prelude.prelude.Borrow use seq.Seq - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) - axiom iter'0_spec : forall self : t_Map'0 . [%#smap6] inv'0 self -> inv'2 (iter'0 self) + axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x + = match x with + | {t_Copied__it'0 = it} -> inv'1 it + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'0 self -> inv'1 (iter'0 self) use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter15] produces'1 a ab b) - -> ([%#siter16] produces'1 b bc c) -> ([%#siter17] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter14] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Int + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self use seq.Seq use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + use prelude.prelude.Int use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) = - [%#smap4] unnest'0 (func'0 self) (func'0 succ) - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited - /\ produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - func'0 self = func'0 succ - else - (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 (func'0 self) (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) + [%#scopied4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) use seq.Seq - constant a : t_Map'0 + constant a : t_Copied'0 - constant ab : Seq.seq t_B'0 + constant ab : Seq.seq t_T'0 - constant b : t_Map'0 + constant b : t_Copied'0 - constant bc : Seq.seq t_B'0 + constant bc : Seq.seq t_T'0 - constant c : t_Map'0 + constant c : t_Copied'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (a : t_Map'0) (ab : Seq.seq t_B'0) (b : t_Map'0) (bc : Seq.seq t_B'0) (c : t_Map'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () - goal vc_produces_trans'0 : ([%#smap1] produces'0 b bc c) - -> ([%#smap0] produces'0 a ab b) -> ([%#smap2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#scopied1] produces'0 b bc c) + -> ([%#scopied0] produces'0 a ab b) -> ([%#scopied2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_refl [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_refl [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (* as std::iter::Iterator> *) + let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 18 14 18 45 + let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 16 4 16 10 + let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 use seq.Seq - type t_B'0 + type t_T'0 use seq.Seq - type t_I'0 - - type t_F'0 + type t_Empty'0 = + { t_Empty__0'0: () } - type t_Item'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + + = + [%#sempty2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - use seq.Seq + constant self : t_Empty'0 - use prelude.prelude.Snapshot + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (self : t_Empty'0) : () - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + goal vc_produces_refl'0 : [%#sempty0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_trans [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (* as std::iter::Iterator> *) + let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 23 15 23 32 + let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 24 15 24 32 + let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 25 14 25 42 + let%span sempty3 = "../../../creusot-contracts/src/std/iter/empty.rs" 21 4 21 10 + let%span sempty4 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + type t_Empty'0 = + { t_Empty__0'0: () } - use prelude.prelude.Borrow + type t_T'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + = + [%#sempty4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + use seq.Seq - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant a : t_Empty'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + constant ab : Seq.seq t_T'0 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) - -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) + constant b : t_Empty'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + constant bc : Seq.seq t_T'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self + constant c : t_Empty'0 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (a : t_Empty'0) (ab : Seq.seq t_T'0) (b : t_Empty'0) (bc : Seq.seq t_T'0) (c : t_Empty'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) - -> ([%#sops4] unnest'0 self res_state) + goal vc_produces_trans'0 : ([%#sempty1] produces'0 b bc c) + -> ([%#sempty0] produces'0 a ab b) -> ([%#sempty2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_refl [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (* as std::iter::Iterator> *) + let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 82 14 82 45 + let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 80 4 80 10 + let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 + let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span senumerate8 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 use seq.Seq - use seq.Seq + use prelude.prelude.UIntSize - use seq.Seq + type t_Item'0 use seq.Seq - use seq.Seq + type t_I'0 + + type t_Enumerate'0 = + { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - - - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - - - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'1 a ab b) - -> ([%#siter12] produces'1 b bc c) -> ([%#siter13] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter10] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Snapshot - - use prelude.prelude.Snapshot - use prelude.prelude.Int - use seq.Seq + function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int use seq.Seq use seq.Seq - use prelude.prelude.Snapshot + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - use seq.Seq - - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - = - [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - constant self : t_MapInv'0 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - goal vc_produces_refl'0 : [%#smap_inv0] produces'0 self (Seq.empty : Seq.seq t_B'0) self -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_trans [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - type t_I'0 + use seq.Seq - type t_F'0 + constant v_MAX'0 : usize = (18446744073709551615 : usize) - type t_Item'0 + use prelude.prelude.UIntSize - use seq.Seq + use prelude.prelude.Borrow - use prelude.prelude.Snapshot + predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - type t_B'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - use seq.Seq + function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate3] inv'0 self -> inv'1 (iter'0 self) - use prelude.prelude.Borrow + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = + [%#senumerate8] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i + -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) + /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter + end) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () - + use seq.Seq - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops11] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + + = + [%#senumerate2] Seq.length visited = n'0 o - n'0 self + /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i + /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant self : t_Enumerate'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (self : t_Enumerate'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) - -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) + goal vc_produces_refl'0 : [%#senumerate0] produces'0 self (Seq.empty : Seq.seq (usize, t_Item'0)) self +end +module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_trans [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (* as std::iter::Iterator> *) + let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 87 15 87 32 + let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 88 15 88 32 + let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 89 14 89 42 + let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 85 4 85 10 + let%span senumerate4 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 + let%span senumerate5 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span senumerate10 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_I'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + use prelude.prelude.UIntSize - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + type t_Enumerate'0 = + { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) - -> ([%#sops6] unnest'0 self res_state) + type t_Item'0 use seq.Seq use seq.Seq - use seq.Seq + use prelude.prelude.Int + + function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int use seq.Seq @@ -2901,743 +3630,717 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__pr function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) - -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - use prelude.prelude.Snapshot + use seq.Seq - use prelude.prelude.Snapshot + constant v_MAX'0 : usize = (18446744073709551615 : usize) - use prelude.prelude.Int + use prelude.prelude.UIntSize - use seq.Seq + use prelude.prelude.Borrow - use seq.Seq + predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use prelude.prelude.Snapshot + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate5] inv'0 self -> inv'1 (iter'0 self) + + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = + [%#senumerate10] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i + -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) + /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter + end) use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) = - [%#smap_inv4] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + [%#senumerate4] Seq.length visited = n'0 o - n'0 self + /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i + /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) use seq.Seq - constant a : t_MapInv'0 + constant a : t_Enumerate'0 - constant ab : Seq.seq t_B'0 + constant ab : Seq.seq (usize, t_Item'0) - constant b : t_MapInv'0 + constant b : t_Enumerate'0 - constant bc : Seq.seq t_B'0 + constant bc : Seq.seq (usize, t_Item'0) - constant c : t_MapInv'0 + constant c : t_Enumerate'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (a : t_Enumerate'0) (ab : Seq.seq (usize, t_Item'0)) (b : t_Enumerate'0) (bc : Seq.seq (usize, t_Item'0)) (c : t_Enumerate'0) : () - goal vc_produces_trans'0 : ([%#smap_inv1] produces'0 b bc c) - -> ([%#smap_inv0] produces'0 a ab b) -> ([%#smap_inv2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#senumerate1] produces'0 b bc c) + -> ([%#senumerate0] produces'0 a ab b) -> ([%#senumerate2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi5691635635396426195__resolve_coherence [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (* as resolve::Resolve> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 62 15 62 39 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 63 14 63 31 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 60 4 60 23 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 57 8 57 50 +module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_refl [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (* as std::iter::Iterator> *) + let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 105 14 105 45 + let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 103 4 103 10 + let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 + let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 + let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 + let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - use prelude.prelude.Borrow + use seq.Seq - type t_I'0 - - type t_F'0 - - type t_B'0 + type t_Item'0 use seq.Seq - use prelude.prelude.Snapshot + type t_I'0 - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_B'0) } + type t_F'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : Snapshot.snap_ty (Seq.seq t_B'0)) - = - true + type t_Filter'0 = + { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.Borrow - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_I'0) + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_MapInv'0) = - match _1 with - | {t_MapInv__iter'0 = x0 ; t_MapInv__func'0 = x1 ; t_MapInv__produced'0 = x2} -> resolve'1 x2 - /\ resolve'2 x1 /\ resolve'3 x0 - end + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) + - predicate resolve'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 28] (self : t_MapInv'0) = - [%#smap_inv3] resolve'3 self.t_MapInv__iter'0 /\ resolve'2 self.t_MapInv__func'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - constant self : t_MapInv'0 + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) + - function resolve_coherence'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (self : t_MapInv'0) : () + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () - goal vc_resolve_coherence'0 : ([%#smap_inv0] structural_resolve'0 self) -> ([%#smap_inv1] resolve'0 self) -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4413682431414748756__next [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 90 4 90 44] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 91 39 91 58 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 94 16 94 76 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 95 31 95 71 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 99 38 99 88 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 100 32 100 63 - let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 105 32 105 56 - let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 17 90 21 - let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 26 90 44 - let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 86 14 89 5 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 103 26 106 17 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 162 27 162 52 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 163 26 163 71 - let%span smap_inv12 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 163 15 163 31 - let%span smap_inv13 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 164 4 164 60 - let%span smap_inv14 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 165 15 165 30 - let%span smap_inv15 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 166 15 166 64 - let%span smap_inv16 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 167 14 167 74 - let%span smap_inv17 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 168 14 168 75 - let%span smap_inv18 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 - let%span smap_inv19 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 - let%span smap_inv20 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9 - let%span smap_inv21 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 74 12 76 73 - let%span smap_inv22 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 - let%span smap_inv23 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 - let%span smap_inv24 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 117 12 119 63 - let%span smap_inv25 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sresolve26 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span smap_inv27 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv28 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv29 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv30 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv31 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv32 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span siter33 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter34 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter35 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter36 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span sops37 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops38 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops39 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops40 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops41 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops42 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops43 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span smap_inv44 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 153 12 156 47 - let%span smap_inv45 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 - let%span sinvariant46 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops12] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - use prelude.prelude.Borrow + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - use prelude.prelude.Snapshot + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - type t_I'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops9] unnest'0 self b) + -> ([%#sops10] unnest'0 b c) -> ([%#sops11] unnest'0 self c) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - type t_F'0 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops8] unnest'0 self self - type t_Item'0 + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + - use seq.Seq + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops6] postcondition_mut'0 self args res_state res) + -> ([%#sops7] unnest'0 self res_state) - use prelude.prelude.Snapshot + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = + [%#sfilter3] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) + /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) + /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true + /\ postcondition_mut'0 f1 (i) f2 false)) - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_I'0) = - [%#sinvariant46] inv'0 self.current /\ inv'0 self.final + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_I'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) - axiom inv_axiom'2 [@rewrite] : forall x : borrowed t_I'0 [inv'4 x] . inv'4 x = invariant'2 x + axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' + end) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_Item'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 - predicate inv'9 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Item'0) + axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter4] inv'0 self -> inv'1 (func'0 self) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Int - axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'5 x] . inv'5 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'9 a_0 - end + use map.Map - use seq.Seq + function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter5] inv'0 self -> inv'2 (iter'0 self) use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter34] produces'0 a ab b) - -> ([%#siter35] produces'0 b bc c) -> ([%#siter36] produces'0 a (Seq.(++) ab bc) c) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter14] produces'1 a ab b) + -> ([%#siter15] produces'1 b bc c) -> ([%#siter16] produces'1 a (Seq.(++) ab bc) c) function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter33] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - - predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter13] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use seq.Seq - let rec next'1 (self:borrowed t_I'0) (return' (ret:t_Option'0))= {[@expl:next 'self' type invariant] inv'4 self} - any - [ return' (result:t_Option'0)-> {inv'5 result} - {[%#siter9] match result with - | C_None'0 -> completed'1 self - | C_Some'0 v -> produces'0 self.current (Seq.singleton v) self.final - end} - (! return' {result}) ] - + use map.Map - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Item'0))= any - [ good (field_0:t_Item'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Item'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) + = + [%#sfilter2] invariant'0 self + -> unnest'0 (func'0 self) (func'0 succ) + /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited + -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) + = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - use prelude.prelude.Snapshot - - use seq.Seq + constant self : t_Filter'0 - use prelude.prelude.Snapshot + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (self : t_Filter'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + goal vc_produces_refl'0 : [%#sfilter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_trans [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (* as std::iter::Iterator> *) + let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 110 15 110 32 + let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 111 15 111 32 + let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 112 14 112 42 + let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 108 4 108 10 + let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 + let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 + let%span sfilter6 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 + let%span sfilter7 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_F'0) = - [%#sinvariant46] inv'1 self.current /\ inv'1 self.final + type t_I'0 - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_F'0) + type t_F'0 - axiom inv_axiom'4 [@rewrite] : forall x : borrowed t_F'0 [inv'6 x] . inv'6 x = invariant'3 x + type t_Filter'0 = + { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } - predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + type t_Item'0 - axiom inv_axiom'5 [@rewrite] : forall x : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) [inv'7 x] . inv'7 x - = (let (x0, x1) = x in inv'9 x0) + use seq.Seq - type t_B'0 + use prelude.prelude.Borrow - predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops43] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'2 res_state) + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops14] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops40] unnest'0 self b) - -> ([%#sops41] unnest'0 b c) -> ([%#sops42] unnest'0 self c) + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops11] unnest'0 self b) + -> ([%#sops12] unnest'0 b c) -> ([%#sops13] unnest'0 self c) function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops39] unnest'0 self self + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops10] unnest'0 self self - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops37] postcondition_mut'0 self args res_state res) - -> ([%#sops38] unnest'0 self res_state) + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops8] postcondition_mut'0 self args res_state res) + -> ([%#sops9] unnest'0 self res_state) - let rec call_mut'0 (self:borrowed t_F'0) (args:(t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (return' (ret:t_B'0))= {[@expl:call_mut 'self' type invariant] inv'6 self} - {[@expl:call_mut 'args' type invariant] inv'7 args} - {[@expl:call_mut requires] [%#sops10] precondition'0 self.current args} - any - [ return' (result:t_B'0)-> {inv'8 result} - {[%#sops11] postcondition_mut'0 self.current args self.final result} - (! return' {result}) ] - + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = + [%#sfilter5] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) + /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) + /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true + /\ postcondition_mut'0 f1 (i) f2 false)) - predicate next_precondition'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 115 4 115 78] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - - = - [%#smap_inv24] forall e : t_Item'0, i : t_I'0 . produces'0 iter (Seq.singleton e) i - -> precondition'0 func (e, Snapshot.new produced) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) - - = - [%#smap_inv45] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new s) - -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - predicate reinitialize'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 151 4 151 33] (_1 : ()) = - [%#smap_inv44] forall iter : borrowed t_I'0, func : t_F'0 . completed'1 iter - -> next_precondition'0 iter.final func (Seq.empty : Seq.seq t_Item'0) /\ preservation'0 iter.final func + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) - predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - - = - [%#smap_inv23] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) - -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' + end) - axiom preservation_inv'0_spec : forall iter : t_I'0, func : t_F'0, produced : Seq.seq t_Item'0 . [%#smap_inv22] produced - = (Seq.empty : Seq.seq t_Item'0) -> preservation_inv'0 iter func produced = preservation'0 iter func + function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 72 4 72 30] (self : t_MapInv'0) = - [%#smap_inv21] reinitialize'0 () - /\ preservation_inv'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) - /\ next_precondition'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) + axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter6] inv'0 self -> inv'1 (func'0 self) - function produces_one_invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 169 4 169 73] (self : t_MapInv'0) (e : t_Item'0) (r : t_B'0) (f : borrowed t_F'0) (iter : t_I'0) : () - + use prelude.prelude.Int - axiom produces_one_invariant'0_spec : forall self : t_MapInv'0, e : t_Item'0, r : t_B'0, f : borrowed t_F'0, iter : t_I'0 . ([%#smap_inv12] invariant'0 self) - -> ([%#smap_inv13] produces'0 self.t_MapInv__iter'0 (Seq.singleton e) iter) - -> ([%#smap_inv14] f.current = self.t_MapInv__func'0) - -> ([%#smap_inv15] postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final r) - -> ([%#smap_inv16] preservation_inv'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) - && ([%#smap_inv17] next_precondition'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) + use map.Map - use prelude.prelude.Snapshot + function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 - use prelude.prelude.Snapshot + axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter7] inv'0 self -> inv'2 (iter'0 self) use seq.Seq use seq.Seq - use seq.Seq + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use seq.Seq + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) + -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) - use seq.Seq + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use seq.Seq + use map.Map + use seq.Seq - use prelude.prelude.Snapshot + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) + + = + [%#sfilter4] invariant'0 self + -> unnest'0 (func'0 self) (func'0 succ) + /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited + -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) + = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - use prelude.prelude.Int + constant a : t_Filter'0 - use seq.Seq + constant ab : Seq.seq t_Item'0 + + constant b : t_Filter'0 + + constant bc : Seq.seq t_Item'0 + + constant c : t_Filter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (a : t_Filter'0) (ab : Seq.seq t_Item'0) (b : t_Filter'0) (bc : Seq.seq t_Item'0) (c : t_Filter'0) : () + + + goal vc_produces_trans'0 : ([%#sfilter1] produces'0 b bc c) + -> ([%#sfilter0] produces'0 a ab b) -> ([%#sfilter2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_refl [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (* as std::iter::Iterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq + type t_Item'0 + use seq.Seq + type t_I'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 + + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end + + function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + + axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse3] inv'0 self -> inv'1 (view'0 self)) + && ([%#sfuse4] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + use seq.Seq - predicate produces'1 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - = - [%#smap_inv25] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'0 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - = - [%#smap_inv32] () - axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv29] produces'1 a ab b) - -> ([%#smap_inv30] produces'1 b bc c) -> ([%#smap_inv31] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = - [%#smap_inv28] () + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv27] produces'1 self (Seq.empty : Seq.seq t_B'0) self + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) = - [%#smap_inv19] exists f : borrowed t_F'0, e : t_Item'0 . f.current = self.t_MapInv__func'0 - /\ f.final = succ.t_MapInv__func'0 - /\ produces'0 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e - /\ precondition'0 f.current (e, self.t_MapInv__produced'0) - /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited - - axiom produces_one'0_spec : forall self : t_MapInv'0, visited : t_B'0, succ : t_MapInv'0 . [%#smap_inv18] produces_one'0 self visited succ - = produces'1 self (Seq.singleton visited) succ - - predicate inv'10 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_MapInv'0) + [%#sfuse2] match view'0 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self + | C_Some'0 i -> match view'0 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - axiom inv_axiom'6 [@rewrite] : forall x : t_MapInv'0 [inv'10 x] . inv'10 x - = (invariant'0 x - /\ match x with - | {t_MapInv__iter'0 = iter ; t_MapInv__func'0 = func ; t_MapInv__produced'0 = produced} -> inv'0 iter /\ inv'1 func - end) + constant self : t_Fuse'0 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_MapInv'0)) = - [%#sinvariant46] inv'10 self.current /\ inv'10 self.final + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_MapInv'0)) + goal vc_produces_refl'0 : [%#sfuse0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_trans [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (* as std::iter::Iterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_MapInv'0) [inv'2 x] . inv'2 x = invariant'1 x + type t_I'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_MapInv'0)) = - [%#sresolve26] self.final = self.current + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_MapInv'0)) = - resolve'1 _1 + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - type t_Option'1 = - | C_None'1 - | C_Some'1 t_B'0 + type t_Item'0 - use prelude.prelude.Intrinsic + use seq.Seq - use prelude.prelude.Snapshot + use seq.Seq - use prelude.prelude.Snapshot + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'1 [inv'3 x] . inv'3 x + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'8 a_0 + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 end - predicate completed'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 14 4 14 35] (self : borrowed (t_MapInv'0)) - - = - [%#smap_inv20] Snapshot.inner (self.final).t_MapInv__produced'0 = (Seq.empty : Seq.seq t_Item'0) - /\ completed'1 (Borrow.borrow_logic (self.current).t_MapInv__iter'0 (self.final).t_MapInv__iter'0 (Borrow.inherit_id (Borrow.get_id self) 1)) - /\ (self.current).t_MapInv__func'0 = (self.final).t_MapInv__func'0 - - meta "compute_max_steps" 1000000 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - let rec next'0 (self:borrowed (t_MapInv'0)) (return' (ret:t_Option'1))= {[@expl:next 'self' type invariant] [%#smap_inv6] inv'2 self} - (! bb0 - [ bb0 = s0 [ s0 = [ &old_self <- [%#smap_inv0] Snapshot.new self.current ] s1 | s1 = bb1 ] - | bb1 = s0 - [ s0 = {inv'0 (self.current).t_MapInv__iter'0} - Borrow.borrow_final {(self.current).t_MapInv__iter'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_I'0) -> - [ &_6 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { self.current with t_MapInv__iter'0 = _ret'.final } } ] - s1) - | s1 = next'1 {_6} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s2) - | s2 = bb2 ] - - | bb2 = any [ br0 -> {_5 = C_None'0 } (! bb5) | br1 (x0:t_Item'0)-> {_5 = C_Some'0 x0} (! bb4) ] - | bb4 = bb6 - | bb6 = s0 - [ s0 = v_Some'0 {_5} (fun (r0'0:t_Item'0) -> [ &v <- r0'0 ] s1) - | s1 = {[@expl:assertion] [%#smap_inv1] precondition'0 (self.current).t_MapInv__func'0 (v, (self.current).t_MapInv__produced'0)} - s2 - | s2 = bb7 ] - - | bb7 = s0 - [ s0 = - [ &produced <- [%#smap_inv2] Snapshot.new (Seq.snoc (Snapshot.inner (self.current).t_MapInv__produced'0) v) ] - - s1 - | s1 = bb8 ] - - | bb8 = s0 - [ s0 = {inv'1 (self.current).t_MapInv__func'0} - Borrow.borrow_final {(self.current).t_MapInv__func'0} {Borrow.inherit_id (Borrow.get_id self) 2} - (fun (_ret':borrowed t_F'0) -> - [ &_14 <- _ret' ] - -{inv'1 _ret'.final}- - [ &self <- { self with current = { self.current with t_MapInv__func'0 = _ret'.final } } ] - s1) - | s1 = [ &_15 <- (v, (self.current).t_MapInv__produced'0) ] s2 - | s2 = call_mut'0 {_14} {_15} (fun (_ret':t_B'0) -> [ &r <- _ret' ] s3) - | s3 = bb9 ] - - | bb9 = bb10 - | bb10 = s0 - [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = produced } } ] s1 - | s1 = [ &_19 <- [%#smap_inv3] Snapshot.new (let _ = () in ()) ] s2 - | s2 = bb11 ] - - | bb11 = s0 - [ s0 = {[@expl:assertion] [%#smap_inv4] produces_one'0 (Snapshot.inner old_self) r self.current} s1 | s1 = bb12 ] - - | bb12 = s0 - [ s0 = {[@expl:type invariant] inv'2 self} s1 - | s1 = -{resolve'0 self}- s2 - | s2 = [ &_0 <- C_Some'1 r ] s3 - | s3 = bb13 ] - - | bb13 = bb14 - | bb14 = bb15 - | bb15 = bb17 - | bb5 = s0 [ s0 = [ &_24 <- [%#smap_inv5] Snapshot.new (Seq.empty : Seq.seq t_Item'0) ] s1 | s1 = bb16 ] - | bb16 = s0 - [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = _24 } } ] s1 - | s1 = {[@expl:type invariant] inv'2 self} s2 - | s2 = -{resolve'0 self}- s3 - | s3 = [ &_0 <- C_None'1 ] s4 - | s4 = bb17 ] - - | bb17 = bb18 - | bb18 = return' {_0} ] - ) - [ & _0 : t_Option'1 = any_l () - | & self : borrowed (t_MapInv'0) = self - | & old_self : Snapshot.snap_ty (t_MapInv'0) = any_l () - | & _5 : t_Option'0 = any_l () - | & _6 : borrowed t_I'0 = any_l () - | & v : t_Item'0 = any_l () - | & produced : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () - | & r : t_B'0 = any_l () - | & _14 : borrowed t_F'0 = any_l () - | & _15 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) = any_l () - | & _19 : Snapshot.snap_ty () = any_l () - | & _24 : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () ] - - [ return' (result:t_Option'1)-> {[@expl:next result type invariant] [%#smap_inv7] inv'3 result} - {[@expl:next ensures] [%#smap_inv8] match result with - | C_None'1 -> completed'0 self - | C_Some'1 v -> produces_one'0 self.current v self.final - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__preservation_inv [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (* std::iter::map_inv::MapInv::Item, F> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 - let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end - use seq.Seq + function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 - type t_Item'0 + axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse5] inv'0 self -> inv'1 (view'0 self)) + && ([%#sfuse6] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) use seq.Seq - type t_I'0 + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - type t_F'0 + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use prelude.prelude.Borrow + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) - type t_B'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use prelude.prelude.Snapshot + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + = + [%#sfuse4] match view'0 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self + | C_Some'0 i -> match view'0 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + constant a : t_Fuse'0 - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + constant ab : Seq.seq t_Item'0 - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () - + constant b : t_Fuse'0 - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + constant bc : Seq.seq t_Item'0 - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant c : t_Fuse'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) - -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) + goal vc_produces_trans'0 : ([%#sfuse1] produces'0 b bc c) + -> ([%#sfuse0] produces'0 a ab b) -> ([%#sfuse2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi7691061398646472980__is_fused [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (* as std::iter::fuse::FusedIterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 63 15 63 31 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 64 15 64 44 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 65 14 65 50 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 61 4 61 10 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 20 12 21 28 + let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 + let%span sfuse7 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 + let%span sfuse8 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 + let%span sfuse9 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 + let%span sfuse10 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 + let%span sfuse11 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 + let%span smodel12 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfuse13 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse14 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_I'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) - -> ([%#sops4] unnest'0 self res_state) + type t_Item'0 use seq.Seq use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'0 a ab b) - -> ([%#siter12] produces'0 b bc c) -> ([%#siter13] produces'0 a (Seq.(++) ab bc) c) + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter10] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end - use prelude.prelude.Snapshot + function view'1 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + axiom view'1_spec : forall self : t_Fuse'0 . ([%#sfuse13] inv'0 self -> inv'1 (view'1 self)) + && ([%#sfuse14] forall other : t_Fuse'0 . view'1 self = view'1 other -> self = other) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - = - [%#smap_inv2] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new s) - -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - constant iter : t_I'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) + -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) - constant func : t_F'0 + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - constant produced : Seq.seq t_Item'0 + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + = + [%#sfuse5] match view'1 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'1 other = view'1 self + | C_Some'0 i -> match view'1 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - goal vc_preservation_inv'0 : [%#smap_inv0] produced = (Seq.empty : Seq.seq t_Item'0) - -> ([%#smap_inv1] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) - -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) - = preservation'0 iter func + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () + + = + [%#sfuse11] () + + axiom produces_trans'0_spec : forall a : t_Fuse'0, ab : Seq.seq t_Item'0, b : t_Fuse'0, bc : Seq.seq t_Item'0, c : t_Fuse'0 . ([%#sfuse8] produces'0 a ab b) + -> ([%#sfuse9] produces'0 b bc c) -> ([%#sfuse10] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () = + [%#sfuse7] () + + axiom produces_refl'0_spec : forall self : t_Fuse'0 . [%#sfuse6] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + + use prelude.prelude.Borrow + + function view'0 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (t_Fuse'0)) : t_Option'0 = + [%#smodel12] view'1 self.current + + predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + + predicate completed'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 18 4 18 35] (self : borrowed (t_Fuse'0)) = + [%#sfuse4] (view'0 self = C_None'0 + \/ (exists it : borrowed t_I'0 . completed'1 it /\ view'0 self = C_Some'0 (it.current))) + /\ view'1 self.final = C_None'0 + + constant self : borrowed (t_Fuse'0) + + constant steps : Seq.seq t_Item'0 + + constant next : t_Fuse'0 + + function is_fused'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (self : borrowed (t_Fuse'0)) (steps : Seq.seq t_Item'0) (next : t_Fuse'0) : () + + + goal vc_is_fused'0 : ([%#sfuse1] produces'0 self.final steps next) + -> ([%#sfuse0] completed'0 self) -> ([%#sfuse2] steps = (Seq.empty : Seq.seq t_Item'0) /\ self.final = next) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__produces_one [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (* std::iter::map_inv::MapInv::Item, F> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops15 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops16 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops17 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops18 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops19 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 +module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_refl [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (* as std::iter::Iterator> *) + let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 80 14 80 45 + let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 78 4 78 10 + let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 + let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 + let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq + type t_B'0 + use seq.Seq type t_I'0 type t_F'0 - type t_Item'0 + type t_Map'0 = + { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } - use seq.Seq + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use prelude.prelude.Snapshot + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) - type t_B'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x + = match x with + | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f + end - use seq.Seq + function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 - use seq.Seq + axiom func'0_spec : forall self : t_Map'0 . [%#smap3] inv'0 self -> inv'1 (func'0 self) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + type t_Item'0 + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) use prelude.prelude.Borrow predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops19] postcondition_once'0 self args res + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops11] postcondition_once'0 self args res = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) @@ -3645,18 +4348,20 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops16] unnest'0 self b) - -> ([%#sops17] unnest'0 b c) -> ([%#sops18] unnest'0 self c) + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) + -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops15] unnest'0 self self + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops13] postcondition_mut'0 self args res_state res) - -> ([%#sops14] unnest'0 self res_state) + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) + -> ([%#sops6] unnest'0 self res_state) + + use seq.Seq use seq.Seq @@ -3666,6 +4371,10 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr use seq.Seq + function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Map'0 . [%#smap4] inv'0 self -> inv'2 (iter'0 self) + use seq.Seq use seq.Seq @@ -3673,19 +4382,15 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter10] produces'1 a ab b) - -> ([%#siter11] produces'1 b bc c) -> ([%#siter12] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) + -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter9] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Snapshot - - use prelude.prelude.Snapshot + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use prelude.prelude.Int @@ -3693,461 +4398,429 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr use seq.Seq - use seq.Seq - - use prelude.prelude.Snapshot - - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) = - [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + [%#smap2] unnest'0 (func'0 self) (func'0 succ) /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited + /\ produces'1 (iter'0 self) s (iter'0 succ) /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 + func'0 self = func'0 succ else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + -> unnest'0 (func'0 self) (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () - - = - [%#smap_inv8] () + constant self : t_Map'0 - axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv5] produces'0 a ab b) - -> ([%#smap_inv6] produces'0 b bc c) -> ([%#smap_inv7] produces'0 a (Seq.(++) ab bc) c) + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (self : t_Map'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = - [%#smap_inv4] () + goal vc_produces_refl'0 : [%#smap0] produces'0 self (Seq.empty : Seq.seq t_B'0) self +end +module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_trans [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (* as std::iter::Iterator> *) + let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 85 15 85 32 + let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 86 15 86 32 + let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 87 14 87 42 + let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 83 4 83 10 + let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 + let%span smap5 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 + let%span smap6 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv3] produces'0 self (Seq.empty : Seq.seq t_B'0) self + type t_I'0 - use seq.Seq + type t_F'0 - use seq.Seq + type t_Map'0 = + { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } - constant self : t_MapInv'0 + type t_B'0 - constant visited : t_B'0 + use seq.Seq - constant succ : t_MapInv'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - goal vc_produces_one'0 : [%#smap_inv0] ([%#smap_inv1] exists f : borrowed t_F'0, e : t_Item'0 . f.current - = self.t_MapInv__func'0 - /\ f.final = succ.t_MapInv__func'0 - /\ produces'1 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e - /\ precondition'0 f.current (e, self.t_MapInv__produced'0) - /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited) - = produces'0 self (Seq.singleton visited) succ -end -module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_refl [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (* as std::iter::Iterator> *) - let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 31 14 31 45 - let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 29 4 29 10 - let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x + = match x with + | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f + end - type t_T'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 - use seq.Seq + axiom func'0_spec : forall self : t_Map'0 . [%#smap5] inv'0 self -> inv'1 (func'0 self) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_Item'0 - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) + - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + use prelude.prelude.Borrow - type t_Once'0 = - { t_Once__inner'0: t_IntoIter'0 } + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) + - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () + - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) - - = - [%#sonce2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - - constant self : t_Once'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops13] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (self : t_Once'0) : () + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - goal vc_produces_refl'0 : [%#sonce0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_trans [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (* as std::iter::Iterator> *) - let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 36 15 36 32 - let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 37 15 37 32 - let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 38 14 38 42 - let%span sonce3 = "../../../creusot-contracts/src/std/iter/once.rs" 34 4 34 10 - let%span sonce4 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - type t_T'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops10] unnest'0 self b) + -> ([%#sops11] unnest'0 b c) -> ([%#sops12] unnest'0 self c) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops9] unnest'0 self self - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () + - type t_Once'0 = - { t_Once__inner'0: t_IntoIter'0 } + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops7] postcondition_mut'0 self args res_state res) + -> ([%#sops8] unnest'0 self res_state) use seq.Seq use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) - - = - [%#sonce4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - use seq.Seq - constant a : t_Once'0 + use seq.Seq - constant ab : Seq.seq t_T'0 + function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 - constant b : t_Once'0 + axiom iter'0_spec : forall self : t_Map'0 . [%#smap6] inv'0 self -> inv'2 (iter'0 self) - constant bc : Seq.seq t_T'0 + use seq.Seq - constant c : t_Once'0 + use seq.Seq - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (a : t_Once'0) (ab : Seq.seq t_T'0) (b : t_Once'0) (bc : Seq.seq t_T'0) (c : t_Once'0) : () + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - goal vc_produces_trans'0 : ([%#sonce1] produces'0 b bc c) - -> ([%#sonce0] produces'0 a ab b) -> ([%#sonce2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 30 4 30 10 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - type t_Idx'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter15] produces'1 a ab b) + -> ([%#siter16] produces'1 b bc c) -> ([%#siter17] produces'1 a (Seq.(++) ab bc) c) - use seq.Seq + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - type t_Range'0 = - { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter14] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use prelude.prelude.Int - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + use seq.Seq use seq.Seq + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) = - [%#srange2] self.t_Range__end'0 = o.t_Range__end'0 - /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 - /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) - /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + [%#smap4] unnest'0 (func'0 self) (func'0 succ) + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited + /\ produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + func'0 self = func'0 succ + else + (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - - constant self : t_Range'0 + -> unnest'0 (func'0 self) (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (self : t_Range'0) : () + use seq.Seq - goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 35 4 35 10 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 + constant a : t_Map'0 - type t_Idx'0 + constant ab : Seq.seq t_B'0 - type t_Range'0 = - { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } + constant b : t_Map'0 - use seq.Seq + constant bc : Seq.seq t_B'0 - use prelude.prelude.Int + constant c : t_Map'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (a : t_Map'0) (ab : Seq.seq t_B'0) (b : t_Map'0) (bc : Seq.seq t_B'0) (c : t_Map'0) : () + - use seq.Seq + goal vc_produces_trans'0 : ([%#smap1] produces'0 b bc c) + -> ([%#smap0] produces'0 a ab b) -> ([%#smap2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_refl [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) - - = - [%#srange4] self.t_Range__end'0 = o.t_Range__end'0 - /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 - /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) - /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) + type t_B'0 use seq.Seq - constant a : t_Range'0 + type t_I'0 - constant ab : Seq.seq t_Idx'0 + type t_F'0 - constant b : t_Range'0 + type t_Item'0 - constant bc : Seq.seq t_Idx'0 + use seq.Seq - constant c : t_Range'0 + use prelude.prelude.Snapshot - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (a : t_Range'0) (ab : Seq.seq t_Idx'0) (b : t_Range'0) (bc : Seq.seq t_Idx'0) (c : t_Range'0) : () + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) - -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__range__range_inclusive_len [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span sops1 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + use prelude.prelude.Borrow - type t_Idx'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - use prelude.prelude.Int + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) + -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops1] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - constant r : t_RangeInclusive'0 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - goal vc_range_inclusive_len'0 : ([%#sops1] not is_empty_log'0 r - -> deep_model'0 (start_log'0 r) <= deep_model'0 (end_log'0 r)) - -> (if is_empty_log'0 r then - [%#srange0] is_empty_log'0 r = (0 = 0) - else - [%#srange0] is_empty_log'0 r = (deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 = 0) - ) -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) + -> ([%#sops4] unnest'0 self res_state) use seq.Seq - type t_Idx'0 + use seq.Seq use seq.Seq - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + use seq.Seq use seq.Seq - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + use seq.Seq - use prelude.prelude.Int + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'1 a ab b) + -> ([%#siter12] produces'1 b bc c) -> ([%#siter13] produces'1 a (Seq.(++) ab bc) c) - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops5] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter10] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int - - = - [%#srange4] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + use prelude.prelude.Snapshot - axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange3] is_empty_log'0 r - = (range_inclusive_len'0 r = 0) + use prelude.prelude.Snapshot + + use prelude.prelude.Int use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) - + use seq.Seq + + use seq.Seq + + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + + + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + = - [%#srange2] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o - /\ (is_empty_log'0 self -> is_empty_log'0 o) - /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - constant self : t_RangeInclusive'0 + constant self : t_MapInv'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (self : t_RangeInclusive'0) : () - + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () - goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self + goal vc_produces_refl'0 : [%#smap_inv0] produces'0 self (Seq.empty : Seq.seq t_B'0) self end -module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 79 4 79 10 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 - let%span srange5 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span srange6 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_trans [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_Idx'0 + type t_I'0 - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + type t_F'0 - use seq.Seq + type t_Item'0 use seq.Seq - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 - - use prelude.prelude.Int - - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + use prelude.prelude.Snapshot - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + type t_B'0 - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops7] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + use seq.Seq - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - = - [%#srange6] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 - axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange5] is_empty_log'0 r - = (range_inclusive_len'0 r = 0) + use prelude.prelude.Borrow - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - = - [%#srange4] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o - /\ (is_empty_log'0 self -> is_empty_log'0 o) - /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - constant a : t_RangeInclusive'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops11] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - constant ab : Seq.seq t_Idx'0 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - constant b : t_RangeInclusive'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - constant bc : Seq.seq t_Idx'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) + -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) - constant c : t_RangeInclusive'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (a : t_RangeInclusive'0) (ab : Seq.seq t_Idx'0) (b : t_RangeInclusive'0) (bc : Seq.seq t_Idx'0) (c : t_RangeInclusive'0) : () + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) - -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_refl [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (* as std::iter::Iterator> *) - let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 31 14 31 45 - let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 29 4 29 10 - let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) + -> ([%#sops6] unnest'0 self res_state) use seq.Seq - type t_T'0 - use seq.Seq - type t_Repeat'0 = - { t_Repeat__element'0: t_T'0 } - - use prelude.prelude.Int + use seq.Seq use seq.Seq use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - = - [%#srepeat2] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) - constant self : t_Repeat'0 + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (self : t_Repeat'0) : () + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) + -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) - goal vc_produces_refl'0 : [%#srepeat0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_trans [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (* as std::iter::Iterator> *) - let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 36 15 36 32 - let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 37 15 37 32 - let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 38 14 38 42 - let%span srepeat3 = "../../../creusot-contracts/src/std/iter/repeat.rs" 34 4 34 10 - let%span srepeat4 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - type t_T'0 + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - type t_Repeat'0 = - { t_Repeat__element'0: t_T'0 } + use prelude.prelude.Snapshot - use seq.Seq + use prelude.prelude.Snapshot use prelude.prelude.Int @@ -4155,678 +4828,751 @@ module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__pro use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + + + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) = - [%#srepeat4] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) + [%#smap_inv4] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) use seq.Seq - constant a : t_Repeat'0 + constant a : t_MapInv'0 - constant ab : Seq.seq t_T'0 + constant ab : Seq.seq t_B'0 - constant b : t_Repeat'0 + constant b : t_MapInv'0 - constant bc : Seq.seq t_T'0 + constant bc : Seq.seq t_B'0 - constant c : t_Repeat'0 + constant c : t_MapInv'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (a : t_Repeat'0) (ab : Seq.seq t_T'0) (b : t_Repeat'0) (bc : Seq.seq t_T'0) (c : t_Repeat'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () - goal vc_produces_trans'0 : ([%#srepeat1] produces'0 b bc c) - -> ([%#srepeat0] produces'0 a ab b) -> ([%#srepeat2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#smap_inv1] produces'0 b bc c) + -> ([%#smap_inv0] produces'0 a ab b) -> ([%#smap_inv2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_refl [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (* as std::iter::Iterator> *) - let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 73 14 73 45 - let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 71 4 71 10 - let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 - let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 - let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_Item'0 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi5691635635396426195__resolve_coherence [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (* as resolve::Resolve> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 62 15 62 39 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 63 14 63 31 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 60 4 60 23 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 57 8 57 50 - use seq.Seq + use prelude.prelude.Borrow type t_I'0 - use prelude.prelude.UIntSize - - type t_Skip'0 = - { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } - - use prelude.prelude.Int + type t_F'0 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_B'0 - use prelude.prelude.UIntSize + use seq.Seq - function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + use prelude.prelude.Snapshot - axiom n'0_spec : forall self : t_Skip'0 . [%#sskip3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_B'0) } - use seq.Seq + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : Snapshot.snap_ty (Seq.seq t_B'0)) + = + true - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_I'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x - = match x with - | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter - end - - function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip4] inv'0 self -> inv'1 (iter'0 self) + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_MapInv'0) = + match _1 with + | {t_MapInv__iter'0 = x0 ; t_MapInv__func'0 = x1 ; t_MapInv__produced'0 = x2} -> resolve'1 x2 + /\ resolve'2 x1 /\ resolve'3 x0 + end - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 28] (self : t_MapInv'0) = + [%#smap_inv3] resolve'3 self.t_MapInv__iter'0 /\ resolve'2 self.t_MapInv__func'0 - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + constant self : t_MapInv'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function resolve_coherence'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (self : t_MapInv'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use seq.Seq + goal vc_resolve_coherence'0 : ([%#smap_inv0] structural_resolve'0 self) -> ([%#smap_inv1] resolve'0 self) +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4413682431414748756__next [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 90 4 90 44] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 91 39 91 58 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 94 16 94 76 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 95 31 95 71 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 99 38 99 88 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 100 32 100 63 + let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 105 32 105 56 + let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 17 90 21 + let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 26 90 44 + let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 86 14 89 5 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 103 26 106 17 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 162 27 162 52 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 163 26 163 71 + let%span smap_inv12 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 163 15 163 31 + let%span smap_inv13 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 164 4 164 60 + let%span smap_inv14 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 165 15 165 30 + let%span smap_inv15 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 166 15 166 64 + let%span smap_inv16 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 167 14 167 74 + let%span smap_inv17 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 168 14 168 75 + let%span smap_inv18 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 + let%span smap_inv19 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 + let%span smap_inv20 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9 + let%span smap_inv21 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 74 12 76 73 + let%span smap_inv22 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 + let%span smap_inv23 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 + let%span smap_inv24 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 117 12 119 63 + let%span smap_inv25 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sresolve26 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smap_inv27 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv28 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv29 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv30 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv31 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv32 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span siter33 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter34 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter35 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter36 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span sops37 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops38 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops39 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops40 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops41 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops42 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops43 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span smap_inv44 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 153 12 156 47 + let%span smap_inv45 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 + let%span sinvariant46 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 use prelude.prelude.Borrow - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) - - = - [%#sskip2] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o - \/ n'0 o = 0 - /\ Seq.length visited > 0 - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self - /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - - constant self : t_Skip'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (self : t_Skip'0) : () - - goal vc_produces_refl'0 : [%#sskip0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_trans [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (* as std::iter::Iterator> *) - let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 78 15 78 32 - let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 79 15 79 32 - let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 80 14 80 42 - let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 76 4 76 10 - let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 - let%span sskip5 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 - let%span sskip6 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + use prelude.prelude.Snapshot type t_I'0 - use prelude.prelude.UIntSize + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - type t_Skip'0 = - { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + type t_F'0 type t_Item'0 use seq.Seq - use seq.Seq - - use prelude.prelude.Int + use prelude.prelude.Snapshot - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - use prelude.prelude.UIntSize + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_I'0) = + [%#sinvariant46] inv'0 self.current /\ inv'0 self.final - function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_I'0) - axiom n'0_spec : forall self : t_Skip'0 . [%#sskip5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + axiom inv_axiom'2 [@rewrite] : forall x : borrowed t_I'0 [inv'4 x] . inv'4 x = invariant'2 x - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_Item'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate inv'9 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Item'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'5 x] . inv'5 x = match x with - | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + | C_None'0 -> true + | C_Some'0 a_0 -> inv'9 a_0 end - function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip6] inv'0 self -> inv'1 (iter'0 self) + use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter34] produces'0 a ab b) + -> ([%#siter35] produces'0 b bc c) -> ([%#siter36] produces'0 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter33] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + + predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) use seq.Seq - use prelude.prelude.Borrow + let rec next'1 (self:borrowed t_I'0) (return' (ret:t_Option'0))= {[@expl:next 'self' type invariant] inv'4 self} + any + [ return' (result:t_Option'0)-> {inv'5 result} + {[%#siter9] match result with + | C_None'0 -> completed'1 self + | C_Some'0 v -> produces'0 self.current (Seq.singleton v) self.final + end} + (! return' {result}) ] + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Item'0))= any + [ good (field_0:t_Item'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Item'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - = - [%#sskip4] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o - \/ n'0 o = 0 - /\ Seq.length visited > 0 - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self - /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - constant a : t_Skip'0 + use prelude.prelude.Snapshot - constant ab : Seq.seq t_Item'0 + use seq.Seq - constant b : t_Skip'0 + use prelude.prelude.Snapshot - constant bc : Seq.seq t_Item'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - constant c : t_Skip'0 + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_F'0) = + [%#sinvariant46] inv'1 self.current /\ inv'1 self.final - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (a : t_Skip'0) (ab : Seq.seq t_Item'0) (b : t_Skip'0) (bc : Seq.seq t_Item'0) (c : t_Skip'0) : () - + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_F'0) - goal vc_produces_trans'0 : ([%#sskip1] produces'0 b bc c) - -> ([%#sskip0] produces'0 a ab b) -> ([%#sskip2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_refl [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (* as std::iter::Iterator> *) - let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 71 14 71 45 - let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 69 4 69 10 - let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 - let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 - let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom inv_axiom'4 [@rewrite] : forall x : borrowed t_F'0 [inv'6 x] . inv'6 x = invariant'3 x - use seq.Seq + predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + - type t_Item'0 + axiom inv_axiom'5 [@rewrite] : forall x : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) [inv'7 x] . inv'7 x + = (let (x0, x1) = x in inv'9 x0) - use seq.Seq + type t_B'0 - type t_I'0 + predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) - use prelude.prelude.UIntSize + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + - type t_Take'0 = - { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - use prelude.prelude.Int + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - use prelude.prelude.UIntSize + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops43] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'2 res_state) - function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - axiom n'0_spec : forall self : t_Take'0 . [%#stake3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - use seq.Seq + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops40] unnest'0 self b) + -> ([%#sops41] unnest'0 b c) -> ([%#sops42] unnest'0 self c) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops39] unnest'0 self self - axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x - = match x with - | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter - end + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + - function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops37] postcondition_mut'0 self args res_state res) + -> ([%#sops38] unnest'0 self res_state) - axiom iter'0_spec : forall self : t_Take'0 . [%#stake4] inv'0 self -> inv'1 (iter'0 self) - - use seq.Seq - - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + let rec call_mut'0 (self:borrowed t_F'0) (args:(t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (return' (ret:t_B'0))= {[@expl:call_mut 'self' type invariant] inv'6 self} + {[@expl:call_mut 'args' type invariant] inv'7 args} + {[@expl:call_mut requires] [%#sops10] precondition'0 self.current args} + any + [ return' (result:t_B'0)-> {inv'8 result} + {[%#sops11] postcondition_mut'0 self.current args self.final result} + (! return' {result}) ] - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + predicate next_precondition'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 115 4 115 78] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + = + [%#smap_inv24] forall e : t_Item'0, i : t_I'0 . produces'0 iter (Seq.singleton e) i + -> precondition'0 func (e, Snapshot.new produced) - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) + + = + [%#smap_inv45] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new s) + -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + predicate reinitialize'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 151 4 151 33] (_1 : ()) = + [%#smap_inv44] forall iter : borrowed t_I'0, func : t_F'0 . completed'1 iter + -> next_precondition'0 iter.final func (Seq.empty : Seq.seq t_Item'0) /\ preservation'0 iter.final func - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) = - [%#stake2] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) - - constant self : t_Take'0 + [%#smap_inv23] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (self : t_Take'0) : () + axiom preservation_inv'0_spec : forall iter : t_I'0, func : t_F'0, produced : Seq.seq t_Item'0 . [%#smap_inv22] produced + = (Seq.empty : Seq.seq t_Item'0) -> preservation_inv'0 iter func produced = preservation'0 iter func - goal vc_produces_refl'0 : [%#stake0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_trans [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (* as std::iter::Iterator> *) - let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32 - let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 77 15 77 32 - let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 78 14 78 42 - let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 74 4 74 10 - let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 - let%span stake5 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 - let%span stake6 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 72 4 72 30] (self : t_MapInv'0) = + [%#smap_inv21] reinitialize'0 () + /\ preservation_inv'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) + /\ next_precondition'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) - type t_I'0 + function produces_one_invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 169 4 169 73] (self : t_MapInv'0) (e : t_Item'0) (r : t_B'0) (f : borrowed t_F'0) (iter : t_I'0) : () + - use prelude.prelude.UIntSize + axiom produces_one_invariant'0_spec : forall self : t_MapInv'0, e : t_Item'0, r : t_B'0, f : borrowed t_F'0, iter : t_I'0 . ([%#smap_inv12] invariant'0 self) + -> ([%#smap_inv13] produces'0 self.t_MapInv__iter'0 (Seq.singleton e) iter) + -> ([%#smap_inv14] f.current = self.t_MapInv__func'0) + -> ([%#smap_inv15] postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final r) + -> ([%#smap_inv16] preservation_inv'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) + && ([%#smap_inv17] next_precondition'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) - type t_Take'0 = - { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + use prelude.prelude.Snapshot - type t_Item'0 + use prelude.prelude.Snapshot use seq.Seq - use prelude.prelude.Int - - constant v_MAX'0 : usize = (18446744073709551615 : usize) + use seq.Seq - use prelude.prelude.UIntSize + use seq.Seq - function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + use seq.Seq - axiom n'0_spec : forall self : t_Take'0 . [%#stake5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + use seq.Seq use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x - = match x with - | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter - end + use prelude.prelude.Snapshot - function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + use prelude.prelude.Int - axiom iter'0_spec : forall self : t_Take'0 . [%#stake6] inv'0 self -> inv'1 (iter'0 self) + use seq.Seq use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use seq.Seq - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + predicate produces'1 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + = + [%#smap_inv25] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'0 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () = - [%#stake4] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) - - constant a : t_Take'0 - - constant ab : Seq.seq t_Item'0 + [%#smap_inv32] () - constant b : t_Take'0 + axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv29] produces'1 a ab b) + -> ([%#smap_inv30] produces'1 b bc c) -> ([%#smap_inv31] produces'1 a (Seq.(++) ab bc) c) - constant bc : Seq.seq t_Item'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = + [%#smap_inv28] () - constant c : t_Take'0 + axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv27] produces'1 self (Seq.empty : Seq.seq t_B'0) self - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (a : t_Take'0) (ab : Seq.seq t_Item'0) (b : t_Take'0) (bc : Seq.seq t_Item'0) (c : t_Take'0) : () + predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) + = + [%#smap_inv19] exists f : borrowed t_F'0, e : t_Item'0 . f.current = self.t_MapInv__func'0 + /\ f.final = succ.t_MapInv__func'0 + /\ produces'0 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e + /\ precondition'0 f.current (e, self.t_MapInv__produced'0) + /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited - goal vc_produces_trans'0 : ([%#stake1] produces'0 b bc c) - -> ([%#stake0] produces'0 a ab b) -> ([%#stake2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_refl [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (* as std::iter::Iterator> *) - let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45 - let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 53 4 53 10 - let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 - let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 - let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_Item'0 - - type t_Item'1 - - use seq.Seq - - type t_A'0 - - type t_B'0 - - use prelude.prelude.UIntSize - - type t_Zip'0 = - { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + axiom produces_one'0_spec : forall self : t_MapInv'0, visited : t_B'0, succ : t_MapInv'0 . [%#smap_inv18] produces_one'0 self visited succ + = produces'1 self (Seq.singleton visited) succ - use seq.Seq + predicate inv'10 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_MapInv'0) - use seq.Seq + axiom inv_axiom'6 [@rewrite] : forall x : t_MapInv'0 [inv'10 x] . inv'10 x + = (invariant'0 x + /\ match x with + | {t_MapInv__iter'0 = iter ; t_MapInv__func'0 = func ; t_MapInv__produced'0 = produced} -> inv'0 iter /\ inv'1 func + end) - use seq.Seq + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_MapInv'0)) = + [%#sinvariant46] inv'10 self.current /\ inv'10 self.final - use seq.Seq + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_MapInv'0)) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_MapInv'0) [inv'2 x] . inv'2 x = invariant'1 x - use prelude.prelude.Int + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_MapInv'0)) = + [%#sresolve26] self.final = self.current - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_MapInv'0)) = + resolve'1 _1 - use seq.Seq + type t_Option'1 = + | C_None'1 + | C_Some'1 t_B'0 - use seq.Seq + use prelude.prelude.Intrinsic - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + use prelude.prelude.Snapshot - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + use prelude.prelude.Snapshot - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) - axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'1 [inv'3 x] . inv'3 x = match x with - | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a - /\ inv'2 b + | C_None'1 -> true + | C_Some'1 a_0 -> inv'8 a_0 end - function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 - - axiom itera'0_spec : forall self : t_Zip'0 . [%#szip3] inv'0 self -> inv'1 (itera'0 self) - - use seq.Seq - - use seq.Seq - - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) - - - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + predicate completed'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 14 4 14 35] (self : borrowed (t_MapInv'0)) + = + [%#smap_inv20] Snapshot.inner (self.final).t_MapInv__produced'0 = (Seq.empty : Seq.seq t_Item'0) + /\ completed'1 (Borrow.borrow_logic (self.current).t_MapInv__iter'0 (self.final).t_MapInv__iter'0 (Borrow.inherit_id (Borrow.get_id self) 1)) + /\ (self.current).t_MapInv__func'0 = (self.final).t_MapInv__func'0 - axiom produces_trans'0_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () - - axiom produces_refl'1_spec : forall self : t_A'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 - - axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip4] inv'0 self -> inv'2 (iterb'0 self) + meta "compute_max_steps" 1000000 - use seq.Seq - - use seq.Seq - - predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) - - - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + let rec next'0 (self:borrowed (t_MapInv'0)) (return' (ret:t_Option'1))= {[@expl:next 'self' type invariant] [%#smap_inv6] inv'2 self} + (! bb0 + [ bb0 = s0 [ s0 = [ &old_self <- [%#smap_inv0] Snapshot.new self.current ] s1 | s1 = bb1 ] + | bb1 = s0 + [ s0 = {inv'0 (self.current).t_MapInv__iter'0} + Borrow.borrow_final {(self.current).t_MapInv__iter'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_I'0) -> + [ &_6 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { self.current with t_MapInv__iter'0 = _ret'.final } } ] + s1) + | s1 = next'1 {_6} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s2) + | s2 = bb2 ] + + | bb2 = any [ br0 -> {_5 = C_None'0 } (! bb5) | br1 (x0:t_Item'0)-> {_5 = C_Some'0 x0} (! bb4) ] + | bb4 = bb6 + | bb6 = s0 + [ s0 = v_Some'0 {_5} (fun (r0'0:t_Item'0) -> [ &v <- r0'0 ] s1) + | s1 = {[@expl:assertion] [%#smap_inv1] precondition'0 (self.current).t_MapInv__func'0 (v, (self.current).t_MapInv__produced'0)} + s2 + | s2 = bb7 ] + + | bb7 = s0 + [ s0 = + [ &produced <- [%#smap_inv2] Snapshot.new (Seq.snoc (Snapshot.inner (self.current).t_MapInv__produced'0) v) ] + + s1 + | s1 = bb8 ] + + | bb8 = s0 + [ s0 = {inv'1 (self.current).t_MapInv__func'0} + Borrow.borrow_final {(self.current).t_MapInv__func'0} {Borrow.inherit_id (Borrow.get_id self) 2} + (fun (_ret':borrowed t_F'0) -> + [ &_14 <- _ret' ] + -{inv'1 _ret'.final}- + [ &self <- { self with current = { self.current with t_MapInv__func'0 = _ret'.final } } ] + s1) + | s1 = [ &_15 <- (v, (self.current).t_MapInv__produced'0) ] s2 + | s2 = call_mut'0 {_14} {_15} (fun (_ret':t_B'0) -> [ &r <- _ret' ] s3) + | s3 = bb9 ] + + | bb9 = bb10 + | bb10 = s0 + [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = produced } } ] s1 + | s1 = [ &_19 <- [%#smap_inv3] Snapshot.new (let _ = () in ()) ] s2 + | s2 = bb11 ] + + | bb11 = s0 + [ s0 = {[@expl:assertion] [%#smap_inv4] produces_one'0 (Snapshot.inner old_self) r self.current} s1 | s1 = bb12 ] + + | bb12 = s0 + [ s0 = {[@expl:type invariant] inv'2 self} s1 + | s1 = -{resolve'0 self}- s2 + | s2 = [ &_0 <- C_Some'1 r ] s3 + | s3 = bb13 ] + + | bb13 = bb14 + | bb14 = bb15 + | bb15 = bb17 + | bb5 = s0 [ s0 = [ &_24 <- [%#smap_inv5] Snapshot.new (Seq.empty : Seq.seq t_Item'0) ] s1 | s1 = bb16 ] + | bb16 = s0 + [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = _24 } } ] s1 + | s1 = {[@expl:type invariant] inv'2 self} s2 + | s2 = -{resolve'0 self}- s3 + | s3 = [ &_0 <- C_None'1 ] s4 + | s4 = bb17 ] + + | bb17 = bb18 + | bb18 = return' {_0} ] + ) + [ & _0 : t_Option'1 = any_l () + | & self : borrowed (t_MapInv'0) = self + | & old_self : Snapshot.snap_ty (t_MapInv'0) = any_l () + | & _5 : t_Option'0 = any_l () + | & _6 : borrowed t_I'0 = any_l () + | & v : t_Item'0 = any_l () + | & produced : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () + | & r : t_B'0 = any_l () + | & _14 : borrowed t_F'0 = any_l () + | & _15 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) = any_l () + | & _19 : Snapshot.snap_ty () = any_l () + | & _24 : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () ] - - axiom produces_trans'1_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter6] produces'2 a ab b) - -> ([%#siter7] produces'2 b bc c) -> ([%#siter8] produces'2 a (Seq.(++) ab bc) c) - - function produces_refl'2 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () - - axiom produces_refl'2_spec : forall self : t_B'0 . [%#siter5] produces'2 self (Seq.empty : Seq.seq t_Item'1) self - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + [ return' (result:t_Option'1)-> {[@expl:next result type invariant] [%#smap_inv7] inv'3 result} + {[@expl:next ensures] [%#smap_inv8] match result with + | C_None'1 -> completed'0 self + | C_Some'1 v -> produces_one'0 self.current v self.final + end} + (! return' {result}) ] - = - [%#szip2] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 - /\ Seq.length p2 = Seq.length visited - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) - /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) - - constant self : t_Zip'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (self : t_Zip'0) : () - - goal vc_produces_refl'0 : [%#szip0] produces'0 self (Seq.empty : Seq.seq (t_Item'0, t_Item'1)) self end -module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_trans [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (* as std::iter::Iterator> *) - let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32 - let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32 - let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42 - let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 58 4 58 10 - let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 - let%span szip5 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 - let%span szip6 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - type t_A'0 - - type t_B'0 - - use prelude.prelude.UIntSize - - type t_Zip'0 = - { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } - - type t_Item'0 - - type t_Item'1 - - use seq.Seq - - use seq.Seq - - use seq.Seq - - use seq.Seq - - use seq.Seq +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__preservation_inv [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (* std::iter::map_inv::MapInv::Item, F> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 + let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - use prelude.prelude.Int + type t_Item'0 use seq.Seq - use seq.Seq + type t_I'0 - use seq.Seq + type t_F'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + use prelude.prelude.Borrow - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + type t_B'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + use prelude.prelude.Snapshot - axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x - = match x with - | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a - /\ inv'2 b - end + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + - function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - axiom itera'0_spec : forall self : t_Zip'0 . [%#szip5] inv'0 self -> inv'1 (itera'0 self) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - use seq.Seq + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) - + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - axiom produces_trans'1_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) + -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - axiom produces_refl'0_spec : forall self : t_A'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self - function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + - axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip6] inv'0 self -> inv'2 (iterb'0 self) + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) + -> ([%#sops4] unnest'0 self res_state) use seq.Seq use seq.Seq - predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'2 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'2_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter8] produces'2 a ab b) - -> ([%#siter9] produces'2 b bc c) -> ([%#siter10] produces'2 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'0 a ab b) + -> ([%#siter12] produces'0 b bc c) -> ([%#siter13] produces'0 a (Seq.(++) ab bc) c) - axiom produces_refl'1_spec : forall self : t_B'0 . [%#siter7] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) - - = - [%#szip4] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 - /\ Seq.length p2 = Seq.length visited - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) - /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter10] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - use seq.Seq + use prelude.prelude.Snapshot - constant a : t_Zip'0 + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + - constant ab : Seq.seq (t_Item'0, t_Item'1) + predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) + + = + [%#smap_inv2] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new s) + -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - constant b : t_Zip'0 + constant iter : t_I'0 - constant bc : Seq.seq (t_Item'0, t_Item'1) + constant func : t_F'0 - constant c : t_Zip'0 + constant produced : Seq.seq t_Item'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (a : t_Zip'0) (ab : Seq.seq (t_Item'0, t_Item'1)) (b : t_Zip'0) (bc : Seq.seq (t_Item'0, t_Item'1)) (c : t_Zip'0) : () + predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - goal vc_produces_trans'0 : ([%#szip1] produces'0 b bc c) - -> ([%#szip0] produces'0 a ab b) -> ([%#szip2] produces'0 a (Seq.(++) ab bc) c) + goal vc_preservation_inv'0 : [%#smap_inv0] produced = (Seq.empty : Seq.seq t_Item'0) + -> ([%#smap_inv1] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) + = preservation'0 iter func end -module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_refl [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (* <&mut I as std::iter::Iterator> *) - let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 222 14 222 45 - let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 220 4 220 10 - let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 - let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__produces_one [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (* std::iter::map_inv::MapInv::Item, F> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops15 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops16 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops17 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops18 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops19 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + + use seq.Seq use seq.Seq + type t_I'0 + + type t_F'0 + type t_Item'0 use seq.Seq - use prelude.prelude.Borrow + use prelude.prelude.Snapshot - type t_I'0 + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + + type t_B'0 use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + use seq.Seq + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter4] produces'1 a ab b) - -> ([%#siter5] produces'1 b bc c) -> ([%#siter6] produces'1 a (Seq.(++) ab bc) c) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops19] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter3] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - = - [%#siter2] produces'1 self.current visited o.current /\ self.final = o.final - constant self : borrowed t_I'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops16] unnest'0 self b) + -> ([%#sops17] unnest'0 b c) -> ([%#sops18] unnest'0 self c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (self : borrowed t_I'0) : () + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - goal vc_produces_refl'0 : [%#siter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_trans [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (* <&mut I as std::iter::Iterator> *) - let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 227 15 227 32 - let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 228 15 228 32 - let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 229 14 229 42 - let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 225 4 225 10 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops15] unnest'0 self self - use prelude.prelude.Borrow + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + - type t_I'0 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops13] postcondition_mut'0 self args res_state res) + -> ([%#sops14] unnest'0 self res_state) - type t_Item'0 + use seq.Seq + + use seq.Seq + + use seq.Seq use seq.Seq @@ -4840,1158 +5586,2322 @@ module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_tr function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter10] produces'1 a ab b) + -> ([%#siter11] produces'1 b bc c) -> ([%#siter12] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter9] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + + + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) = - [%#siter4] produces'1 self.current visited o.current /\ self.final = o.final + [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - constant a : borrowed t_I'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + + = + [%#smap_inv8] () - constant ab : Seq.seq t_Item'0 + axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv5] produces'0 a ab b) + -> ([%#smap_inv6] produces'0 b bc c) -> ([%#smap_inv7] produces'0 a (Seq.(++) ab bc) c) - constant b : borrowed t_I'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = + [%#smap_inv4] () - constant bc : Seq.seq t_Item'0 + axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv3] produces'0 self (Seq.empty : Seq.seq t_B'0) self - constant c : borrowed t_I'0 + use seq.Seq - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (a : borrowed t_I'0) (ab : Seq.seq t_Item'0) (b : borrowed t_I'0) (bc : Seq.seq t_Item'0) (c : borrowed t_I'0) : () + use seq.Seq + + constant self : t_MapInv'0 + + constant visited : t_B'0 + + constant succ : t_MapInv'0 + + predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - goal vc_produces_trans'0 : ([%#siter1] produces'0 b bc c) - -> ([%#siter0] produces'0 a ab b) -> ([%#siter2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_one'0 : [%#smap_inv0] ([%#smap_inv1] exists f : borrowed t_F'0, e : t_Item'0 . f.current + = self.t_MapInv__func'0 + /\ f.final = succ.t_MapInv__func'0 + /\ produces'1 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e + /\ precondition'0 f.current (e, self.t_MapInv__produced'0) + /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited) + = produces'0 self (Seq.singleton visited) succ end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_unwrap_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 103 16 105 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 103 43 103 44 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 103 52 103 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 99 26 102 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_refl [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (* as std::iter::Iterator> *) + let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 31 14 31 45 + let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 29 4 29 10 + let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 + + use seq.Seq type t_T'0 + use seq.Seq + type t_Option'0 = | C_None'0 | C_Some'0 t_T'0 - type t_F'0 + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - use prelude.prelude.Borrow + type t_Once'0 = + { t_Once__inner'0: t_IntoIter'0 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + = + [%#sonce2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + constant self : t_Once'0 - axiom inv_axiom'1 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (self : t_Once'0) : () - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + goal vc_produces_refl'0 : [%#sonce0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_trans [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (* as std::iter::Iterator> *) + let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 36 15 36 32 + let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 37 15 37 32 + let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 38 14 38 42 + let%span sonce3 = "../../../creusot-contracts/src/std/iter/once.rs" 34 4 34 10 + let%span sonce4 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_T'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) - + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_T'0)-> {inv'2 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] - + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - use prelude.prelude.Intrinsic + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + type t_Once'0 = + { t_Once__inner'0: t_IntoIter'0 } - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end - - meta "compute_max_steps" 1000000 + use seq.Seq - let rec extern_spec_std_option_T_Option_T_unwrap_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- t ] s4 - | s4 = bb8 ] - - | bb8 = bb9 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb9 - | bb9 = bb10 - | bb10 = bb11 - | bb11 = return' {_0} ] - ) - [ & _0 : t_T'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & _7 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body result type invariant] [%#soption2] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> postcondition_once'0 f () result - | C_Some'0 t -> result = t - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_body [#"../../../creusot-contracts/src/std/option.rs" 131 16 133 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 131 35 131 36 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 123 27 126 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 131 44 131 53 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 127 26 130 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + use seq.Seq - type t_T'0 + function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - type t_Option'1 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + = + [%#sonce4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - type t_F'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + constant a : t_Once'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant ab : Seq.seq t_T'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant b : t_Once'0 - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + constant bc : Seq.seq t_T'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + constant c : t_Once'0 - type t_U'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (a : t_Once'0) (ab : Seq.seq t_T'0) (b : t_Once'0) (bc : Seq.seq t_T'0) (c : t_Once'0) : () + - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + goal vc_produces_trans'0 : ([%#sonce1] produces'0 b bc c) + -> ([%#sonce0] produces'0 a ab b) -> ([%#sonce2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 30 4 30 10 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + type t_Idx'0 - type t_Option'0 = - | C_None'1 - | C_Some'1 t_U'0 + use seq.Seq - use prelude.prelude.Borrow + type t_Range'0 = + { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Intrinsic + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'5 a_0 - end + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + + = + [%#srange2] self.t_Range__end'0 = o.t_Range__end'0 + /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 + /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) + /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'4 a_0 - end + constant self : t_Range'0 - meta "compute_max_steps" 1000000 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (self : t_Range'0) : () - let rec extern_spec_std_option_T_Option_T_map_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_map_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_map_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_9 <- (t) ] s2 - | s2 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_7 <- _ret' ] s3) - | s3 = bb7 ] - - | bb7 = bb8 - | bb8 = s0 [ s0 = [ &_0 <- C_Some'1 _7 ] s1 | s1 = bb9 ] - | bb9 = bb10 - | bb10 = bb11 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb11 ] - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'1 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _7 : t_U'0 = any_l () - | & _9 : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_map_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'1 - | C_Some'0 t -> exists r : t_U'0 . result = C_Some'1 r /\ postcondition_once'0 f (t) r - end} - (! return' {result}) ] - + goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_inspect_body [#"../../../creusot-contracts/src/std/option.rs" 149 16 151 33] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 149 36 149 37 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 140 27 143 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 149 45 149 54 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 145 26 148 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - - type t_T'0 +module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 35 4 35 10 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_Idx'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + type t_Range'0 = + { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } - type t_F'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Borrow + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant6] inv'4 self + use seq.Seq - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + + = + [%#srange4] self.t_Range__end'0 = o.t_Range__end'0 + /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 + /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) + /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant a : t_Range'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = (let (x0) = x in inv'5 x0) + constant ab : Seq.seq t_Idx'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + constant b : t_Range'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + constant bc : Seq.seq t_Idx'0 - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + constant c : t_Range'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : ()) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (a : t_Range'0) (ab : Seq.seq t_Idx'0) (b : t_Range'0) (bc : Seq.seq t_Idx'0) (c : t_Range'0) : () - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:()))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'2 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any [ return' (result:())-> {inv'3 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) + -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__range__range_inclusive_len [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span sops1 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + type t_Idx'0 - use prelude.prelude.Intrinsic + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end - - meta "compute_max_steps" 1000000 - - let rec extern_spec_std_option_T_Option_T_inspect_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = any [ br0 -> {self_ = C_None'0 } (! bb5) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb6) ] - | bb6 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_12 <- t ] s2 - | s2 = [ &_10 <- (_12) ] s3 - | s3 = call_once'0 {f} {_10} (fun (_ret':()) -> [ &_8 <- _ret' ] s4) - | s4 = bb8 ] - - | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] - | bb9 = bb10 - | bb10 = bb11 - | bb5 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb7 ] - | bb7 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb11 ] - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _8 : () = any_l () - | & _10 : t_T'0 = any_l () - | & _12 : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_inspect_body result type invariant] [%#soption3] inv'1 result} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #0] [%#soption0] result = self_} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #1] [%#soption4] match self_ with - | C_None'0 -> true - | C_Some'0 t -> postcondition_once'0 f (t) () - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_body [#"../../../creusot-contracts/src/std/option.rs" 166 16 168 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 166 38 166 45 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 166 50 166 51 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 158 27 161 17 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 166 59 166 60 - let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 162 26 165 17 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - - type t_T'0 + use prelude.prelude.Int - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - type t_U'0 + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool - use prelude.prelude.Borrow + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops1] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_U'0) + constant r : t_RangeInclusive'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int - type t_F'0 - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + goal vc_range_inclusive_len'0 : ([%#sops1] not is_empty_log'0 r + -> deep_model'0 (start_log'0 r) <= deep_model'0 (end_log'0 r)) + -> (if is_empty_log'0 r then + [%#srange0] is_empty_log'0 r = (0 = 0) + else + [%#srange0] is_empty_log'0 r = (deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 = 0) + ) +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Idx'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops6] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'0 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] - + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Intrinsic + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool - meta "compute_max_steps" 1000000 + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops5] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) - let rec extern_spec_std_option_T_Option_T_map_or_body'0 (self_:t_Option'0) (default:t_U'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'default' type invariant] [%#soption1] inv'0 default} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'f' type invariant] [%#soption2] inv'1 f} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body requires] [%#soption3] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 default} s1 - | s1 = -{resolve'0 default}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_9 <- (t) ] s4 - | s4 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) - | s5 = bb7 ] - - | bb7 = bb8 - | bb8 = bb9 - | bb9 = bb10 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- default ] s1 | s1 = bb10 ] - | bb10 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_U'0 = any_l () - | & self_ : t_Option'0 = self_ - | & default : t_U'0 = default - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _9 : t_T'0 = any_l () ] - - [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_body result type invariant] [%#soption4] inv'0 result} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body ensures] [%#soption5] match self_ with - | C_None'0 -> result = default - | C_Some'0 t -> postcondition_once'0 f (t) result - end} - (! return' {result}) ] + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 183 16 186 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 183 46 183 53 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 183 58 183 59 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 175 27 178 17 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 183 67 183 68 - let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 179 26 182 17 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + = + [%#srange4] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 - type t_T'0 + axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange3] is_empty_log'0 r + = (range_inclusive_len'0 r = 0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - type t_D'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + + = + [%#srange2] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o + /\ (is_empty_log'0 self -> is_empty_log'0 o) + /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_D'0) + constant self : t_RangeInclusive'0 - use prelude.prelude.Borrow + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (self : t_RangeInclusive'0) : () + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_D'0) + goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 79 4 79 10 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 + let%span srange5 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span srange6 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + type t_Idx'0 - type t_F'0 + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = (let (x0) = x in inv'6 x0) + use prelude.prelude.Int - predicate precondition'1 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - type t_U'0 + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool - predicate postcondition_once'1 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops7] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'4 args} - {[@expl:call_once requires] [%#sops6] precondition'1 self args} - any - [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'1 self args result} (! return' {result}) ] + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + = + [%#srange6] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange5] is_empty_log'0 r + = (range_inclusive_len'0 r = 0) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + use seq.Seq - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true - - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_D'0) (args : ()) - - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_D'0) (args : ()) (result : t_U'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + = + [%#srange4] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o + /\ (is_empty_log'0 self -> is_empty_log'0 o) + /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) - let rec call_once'1 (self:t_D'0) (args:()) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops6] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] - + use seq.Seq - use prelude.prelude.Intrinsic + constant a : t_RangeInclusive'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + constant ab : Seq.seq t_Idx'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'6 a_0 - end + constant b : t_RangeInclusive'0 - meta "compute_max_steps" 1000000 + constant bc : Seq.seq t_Idx'0 - let rec extern_spec_std_option_T_Option_T_map_or_else_body'0 (self_:t_Option'0) (default:t_D'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'default' type invariant] [%#soption1] inv'0 default} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'f' type invariant] [%#soption2] inv'1 f} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body requires] [%#soption3] match self_ with - | C_None'0 -> precondition'0 default () - | C_Some'0 t -> precondition'1 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 default} s1 - | s1 = -{resolve'0 default}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_11 <- (t) ] s4 - | s4 = call_once'0 {f} {_11} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) - | s5 = bb8 ] - - | bb8 = bb9 - | bb9 = bb10 - | bb10 = bb11 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = call_once'1 {default} {_8} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = bb14 - | bb14 = return' {_0} ] - ) - [ & _0 : t_U'0 = any_l () - | & self_ : t_Option'0 = self_ - | & default : t_D'0 = default - | & f : t_F'0 = f - | & _8 : () = any_l () - | & t : t_T'0 = any_l () - | & _11 : t_T'0 = any_l () ] - - [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body result type invariant] [%#soption4] inv'3 result} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body ensures] [%#soption5] match self_ with - | C_None'0 -> postcondition_once'0 default () result - | C_Some'0 t -> postcondition_once'1 f (t) result - end} - (! return' {result}) ] + constant c : t_RangeInclusive'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (a : t_RangeInclusive'0) (ab : Seq.seq t_Idx'0) (b : t_RangeInclusive'0) (bc : Seq.seq t_Idx'0) (c : t_RangeInclusive'0) : () + + goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) + -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_ok_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 204 16 206 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 204 42 204 45 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 204 53 204 65 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 200 26 203 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_refl [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (* as std::iter::Iterator> *) + let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 31 14 31 45 + let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 29 4 29 10 + let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + + use seq.Seq type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - type t_F'0 + type t_Repeat'0 = + { t_Repeat__element'0: t_T'0 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Borrow + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 - type t_E'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + + = + [%#srepeat2] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) - type t_Result'0 = - | C_Ok'0 t_T'0 - | C_Err'0 t_E'0 + constant self : t_Repeat'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (self : t_Repeat'0) : () - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + goal vc_produces_refl'0 : [%#srepeat0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_trans [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (* as std::iter::Iterator> *) + let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 36 15 36 32 + let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 37 15 37 32 + let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 38 14 38 42 + let%span srepeat3 = "../../../creusot-contracts/src/std/iter/repeat.rs" 34 4 34 10 + let%span srepeat4 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + type t_T'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_E'0) + type t_Repeat'0 = + { t_Repeat__element'0: t_T'0 } - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_E'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_E'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_E'0)-> {inv'4 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] - + use prelude.prelude.Int - use prelude.prelude.Intrinsic + use seq.Seq - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'5 a_0 - end + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + + = + [%#srepeat4] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Result'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Result'0 [inv'2 x] . inv'2 x - = match x with - | C_Ok'0 a_0 -> inv'5 a_0 - | C_Err'0 a_0 -> inv'4 a_0 - end + constant a : t_Repeat'0 - meta "compute_max_steps" 1000000 + constant ab : Seq.seq t_T'0 - let rec extern_spec_std_option_T_Option_T_ok_or_else_body'0 (self_:t_Option'0) (err:t_F'0) (return' (ret:t_Result'0))= {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'err' type invariant] [%#soption1] inv'0 err} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 err ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 err} s1 - | s1 = -{resolve'0 err}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- C_Ok'0 t ] s4 - | s4 = bb9 ] - - | bb9 = bb10 - | bb10 = bb11 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {err} {_8} (fun (_ret':t_E'0) -> [ &_6 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = s0 [ s0 = [ &_0 <- C_Err'0 _6 ] s1 | s1 = bb8 ] - | bb8 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Result'0 = any_l () - | & self_ : t_Option'0 = self_ - | & err : t_F'0 = err - | & _6 : t_E'0 = any_l () - | & _8 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_Result'0)-> {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body result type invariant] [%#soption2] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> exists r : t_E'0 . result = C_Err'0 r /\ postcondition_once'0 err () r - | C_Some'0 t -> result = C_Ok'0 t - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_and_then_body [#"../../../creusot-contracts/src/std/option.rs" 234 16 236 45] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 234 40 234 41 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 226 27 229 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 234 49 234 58 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 230 26 233 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + constant b : t_Repeat'0 - type t_T'0 + constant bc : Seq.seq t_T'0 - type t_Option'1 = - | C_None'0 - | C_Some'0 t_T'0 + constant c : t_Repeat'0 - let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (a : t_Repeat'0) (ab : Seq.seq t_T'0) (b : t_Repeat'0) (bc : Seq.seq t_T'0) (c : t_Repeat'0) : () - type t_F'0 + goal vc_produces_trans'0 : ([%#srepeat1] produces'0 b bc c) + -> ([%#srepeat0] produces'0 a ab b) -> ([%#srepeat2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_refl [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (* as std::iter::Iterator> *) + let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 73 14 73 45 + let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 71 4 71 10 + let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 + let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 + let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Item'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + type t_I'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + use prelude.prelude.UIntSize - type t_U'0 + type t_Skip'0 = + { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } - type t_Option'0 = - | C_None'1 - | C_Some'1 t_U'0 - - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) - - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'5 a_0 - end + constant v_MAX'0 : usize = (18446744073709551615 : usize) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_Option'0) - + use prelude.prelude.UIntSize - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_Option'0)-> {inv'2 result} - {[%#sops5] postcondition_once'0 self args result} - (! return' {result}) ] - + function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int - use prelude.prelude.Borrow + axiom n'0_spec : forall self : t_Skip'0 . [%#sskip3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - use prelude.prelude.Intrinsic + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 + | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter end - meta "compute_max_steps" 1000000 + function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 - let rec extern_spec_std_option_T_Option_T_and_then_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_8 <- (t) ] s2 - | s2 = call_once'0 {f} {_8} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s3) - | s3 = bb7 ] - - | bb7 = bb8 - | bb8 = bb9 - | bb9 = bb10 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb10 ] - | bb10 = bb11 - | bb11 = bb12 - | bb12 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'1 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _8 : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_and_then_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'1 - | C_Some'0 t -> postcondition_once'0 f (t) result - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_filter_body [#"../../../creusot-contracts/src/std/option.rs" 254 16 256 41] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 254 35 254 44 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 243 27 246 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 254 52 254 61 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 247 26 253 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip4] inv'0 self -> inv'1 (iter'0 self) - type t_T'0 + use seq.Seq - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - type t_P'0 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + use seq.Seq use prelude.prelude.Borrow - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant6] inv'0 self + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + + = + [%#sskip2] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o + \/ n'0 o = 0 + /\ Seq.length visited > 0 + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self + /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant self : t_Skip'0 - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (self : t_Skip'0) : () - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal vc_produces_refl'0 : [%#sskip0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_trans [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (* as std::iter::Iterator> *) + let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 78 15 78 32 + let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 79 15 79 32 + let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 80 14 80 42 + let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 76 4 76 10 + let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 + let%span sskip5 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 + let%span sskip6 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + type t_I'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : t_T'0) + use prelude.prelude.UIntSize - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + type t_Skip'0 = + { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } - axiom inv_axiom'2 [@rewrite] : forall x : bool [inv'4 x] . inv'4 x = true + type t_Item'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : t_T'0) (result : bool) - + use seq.Seq - let rec call_once'0 (self:t_P'0) (args:t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:bool)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + use prelude.prelude.Int - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + constant v_MAX'0 : usize = (18446744073709551615 : usize) - use prelude.prelude.Intrinsic + use prelude.prelude.UIntSize - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + axiom n'0_spec : forall self : t_Skip'0 . [%#sskip5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'0 a_0 + | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter end - meta "compute_max_steps" 1000000 + function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 - let rec extern_spec_std_option_T_Option_T_filter_body'0 (self_:t_Option'0) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_filter_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_filter_body 'predicate' type invariant] [%#soption1] inv'1 predicate'} - {[@expl:extern_spec_std_option_T_Option_T_filter_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 predicate' (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_11 <- t ] s2 - | s2 = [ &_9 <- (_11) ] s3 - | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) - | s4 = bb7 ] - - | bb7 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] - | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] - | bb9 = bb12 - | bb10 = s0 [ s0 = {[@expl:type invariant] inv'0 t} s1 | s1 = -{resolve'0 t}- s2 | s2 = bb11 ] - | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] - | bb12 = bb13 - | bb13 = bb14 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 predicate'} s1 | s1 = -{resolve'1 predicate'}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb14 ] - | bb14 = bb15 - | bb15 = bb16 - | bb16 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & predicate' : t_P'0 = predicate' - | & t : t_T'0 = any_l () - | & _7 : bool = any_l () - | & _9 : t_T'0 = any_l () - | & _11 : t_T'0 = any_l () ] + axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip6] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_filter_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_filter_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'0 - | C_Some'0 t -> match result with - | C_None'0 -> postcondition_once'0 predicate' (t) false /\ resolve'0 t - | C_Some'0 r -> postcondition_once'0 predicate' (t) true /\ r = t - end - end} - (! return' {result}) ] + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 273 16 275 44] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 273 36 273 37 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 273 45 273 54 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 269 26 272 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - type t_T'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - type t_F'0 + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq use prelude.prelude.Borrow - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + = + [%#sskip4] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o + \/ n'0 o = 0 + /\ Seq.length visited > 0 + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self + /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) - - axiom inv_axiom'1 [@rewrite] : forall x : () [inv'2 x] . inv'2 x = true + constant a : t_Skip'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + constant ab : Seq.seq t_Item'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant b : t_Skip'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + constant bc : Seq.seq t_Item'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'3 a_0 - end + constant c : t_Skip'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_Option'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (a : t_Skip'0) (ab : Seq.seq t_Item'0) (b : t_Skip'0) (bc : Seq.seq t_Item'0) (c : t_Skip'0) : () - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'2 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_Option'0)-> {inv'1 result} - {[%#sops4] postcondition_once'0 self args result} - (! return' {result}) ] - + goal vc_produces_trans'0 : ([%#sskip1] produces'0 b bc c) + -> ([%#sskip0] produces'0 a ab b) -> ([%#sskip2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_refl [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (* as std::iter::Iterator> *) + let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 71 14 71 45 + let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 69 4 69 10 + let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 + let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 + let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - use prelude.prelude.Intrinsic + use seq.Seq - meta "compute_max_steps" 1000000 + type t_Item'0 - let rec extern_spec_std_option_T_Option_T_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- C_Some'0 t ] s4 - | s4 = bb8 ] - - | bb8 = bb9 - | bb9 = bb10 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb10 - | bb10 = bb11 - | bb11 = bb12 - | bb12 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & _7 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_or_else_body result type invariant] [%#soption2] inv'1 result} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> postcondition_once'0 f () result - | C_Some'0 t -> result = C_Some'0 t - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_get_or_insert_with_body [#"../../../creusot-contracts/src/std/option.rs" 311 16 313 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 311 52 311 53 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 306 27 306 63 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 311 61 311 67 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 307 26 310 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span soption6 = "../../../creusot-contracts/src/std/option.rs" 62 26 62 75 - let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 64 20 65 100 - let%span sresolve8 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sresolve9 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - let%span sinvariant10 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + use seq.Seq - type t_T'0 + type t_I'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.UIntSize - type t_F'0 + type t_Take'0 = + { t_Take__iter'0: t_I'0; t_Take__n'0: usize } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use prelude.prelude.Int - use prelude.prelude.Borrow + constant v_MAX'0 : usize = (18446744073709551615 : usize) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.UIntSize - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + axiom n'0_spec : forall self : t_Take'0 . [%#stake3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant10] inv'1 self.current /\ inv'1 self.final + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) - predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve8] self.final = self.current + axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x + = match x with + | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter + end - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'4 _1 + function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + axiom iter'0_spec : forall self : t_Take'0 . [%#stake4] inv'0 self -> inv'1 (iter'0 self) - axiom inv_axiom'3 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_T'0)-> {inv'1 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + = + [%#stake2] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + constant self : t_Take'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'1 a_0 - end + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (self : t_Take'0) : () - predicate resolve'7 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + goal vc_produces_refl'0 : [%#stake0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_trans [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (* as std::iter::Iterator> *) + let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32 + let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 77 15 77 32 + let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 78 14 78 42 + let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 74 4 74 10 + let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 + let%span stake5 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 + let%span stake6 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - predicate resolve'5 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = - [%#sresolve9] match self with - | C_Some'0 x -> resolve'7 x - | C_None'0 -> true - end + type t_I'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Option'0) = - resolve'5 _1 + use prelude.prelude.UIntSize - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = - [%#sinvariant10] inv'3 self.current /\ inv'3 self.final + type t_Take'0 = + { t_Take__iter'0: t_I'0; t_Take__n'0: usize } - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + type t_Item'0 - axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'4 x] . inv'4 x = invariant'1 x + use seq.Seq - type t_Option'1 = - | C_None'1 - | C_Some'1 (borrowed t_T'0) + use prelude.prelude.Int - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom inv_axiom'4 [@rewrite] : forall x : t_Option'1 [inv'6 x] . inv'6 x + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + + axiom n'0_spec : forall self : t_Take'0 . [%#stake5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'2 a_0 + | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter end - let rec as_mut'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'1))= {[@expl:as_mut 'self' type invariant] inv'4 self} - any - [ return' (result:t_Option'1)-> {inv'6 result} - {[%#soption6] self.current = C_None'0 -> result = C_None'1 /\ self.final = C_None'0} - {[%#soption7] self.current = C_None'0 - \/ (exists r : borrowed t_T'0 . result = C_Some'1 r - /\ self.current = C_Some'0 (r.current) /\ self.final = C_Some'0 (r.final))} - (! return' {result}) ] - + function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 - let rec unwrap'0 (self:t_Option'1) (return' (ret:borrowed t_T'0))= {[@expl:unwrap 'self' type invariant] inv'6 self} - {[@expl:unwrap requires] [%#soption0] self <> C_None'1} - any [ return' (result:borrowed t_T'0)-> {inv'2 result} {[%#soption0] C_Some'1 result = self} (! return' {result}) ] + axiom iter'0_spec : forall self : t_Take'0 . [%#stake6] inv'0 self -> inv'1 (iter'0 self) - predicate resolve'6 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = - [%#sresolve8] self.final = self.current + use seq.Seq - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = - resolve'6 _1 + use seq.Seq - use prelude.prelude.Intrinsic + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - meta "compute_max_steps" 1000000 + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - let rec extern_spec_std_option_T_Option_T_get_or_insert_with_body'0 (self_:borrowed (t_Option'0)) (f:t_F'0) (return' (ret:borrowed t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'self_' type invariant] [%#soption0] inv'4 self_} + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + + = + [%#stake4] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) + + constant a : t_Take'0 + + constant ab : Seq.seq t_Item'0 + + constant b : t_Take'0 + + constant bc : Seq.seq t_Item'0 + + constant c : t_Take'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (a : t_Take'0) (ab : Seq.seq t_Item'0) (b : t_Take'0) (bc : Seq.seq t_Item'0) (c : t_Take'0) : () + + + goal vc_produces_trans'0 : ([%#stake1] produces'0 b bc c) + -> ([%#stake0] produces'0 a ab b) -> ([%#stake2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_refl [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (* as std::iter::Iterator> *) + let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45 + let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 53 4 53 10 + let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 + let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 + let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + type t_Item'1 + + use seq.Seq + + type t_A'0 + + type t_B'0 + + use prelude.prelude.UIntSize + + type t_Zip'0 = + { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a + /\ inv'2 b + end + + function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + + axiom itera'0_spec : forall self : t_Zip'0 . [%#szip3] inv'0 self -> inv'1 (itera'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + + + axiom produces_trans'0_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + + axiom produces_refl'1_spec : forall self : t_A'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + + axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip4] inv'0 self -> inv'2 (iterb'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + + + axiom produces_trans'1_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter6] produces'2 a ab b) + -> ([%#siter7] produces'2 b bc c) -> ([%#siter8] produces'2 a (Seq.(++) ab bc) c) + + function produces_refl'2 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + + axiom produces_refl'2_spec : forall self : t_B'0 . [%#siter5] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + + = + [%#szip2] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 + /\ Seq.length p2 = Seq.length visited + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) + /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + + constant self : t_Zip'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (self : t_Zip'0) : () + + goal vc_produces_refl'0 : [%#szip0] produces'0 self (Seq.empty : Seq.seq (t_Item'0, t_Item'1)) self +end +module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_trans [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (* as std::iter::Iterator> *) + let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32 + let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32 + let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42 + let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 58 4 58 10 + let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 + let%span szip5 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 + let%span szip6 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_A'0 + + type t_B'0 + + use prelude.prelude.UIntSize + + type t_Zip'0 = + { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + + type t_Item'0 + + type t_Item'1 + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a + /\ inv'2 b + end + + function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + + axiom itera'0_spec : forall self : t_Zip'0 . [%#szip5] inv'0 self -> inv'1 (itera'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + + + axiom produces_trans'1_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + + axiom produces_refl'0_spec : forall self : t_A'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + + axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip6] inv'0 self -> inv'2 (iterb'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + + + function produces_trans'2 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + + + axiom produces_trans'2_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter8] produces'2 a ab b) + -> ([%#siter9] produces'2 b bc c) -> ([%#siter10] produces'2 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + + axiom produces_refl'1_spec : forall self : t_B'0 . [%#siter7] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + + = + [%#szip4] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 + /\ Seq.length p2 = Seq.length visited + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) + /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + + use seq.Seq + + constant a : t_Zip'0 + + constant ab : Seq.seq (t_Item'0, t_Item'1) + + constant b : t_Zip'0 + + constant bc : Seq.seq (t_Item'0, t_Item'1) + + constant c : t_Zip'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (a : t_Zip'0) (ab : Seq.seq (t_Item'0, t_Item'1)) (b : t_Zip'0) (bc : Seq.seq (t_Item'0, t_Item'1)) (c : t_Zip'0) : () + + + goal vc_produces_trans'0 : ([%#szip1] produces'0 b bc c) + -> ([%#szip0] produces'0 a ab b) -> ([%#szip2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_refl [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (* <&mut I as std::iter::Iterator> *) + let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 222 14 222 45 + let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 220 4 220 10 + let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 + let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_I'0 + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter4] produces'1 a ab b) + -> ([%#siter5] produces'1 b bc c) -> ([%#siter6] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter3] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + + = + [%#siter2] produces'1 self.current visited o.current /\ self.final = o.final + + constant self : borrowed t_I'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (self : borrowed t_I'0) : () + + goal vc_produces_refl'0 : [%#siter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_trans [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (* <&mut I as std::iter::Iterator> *) + let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 227 15 227 32 + let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 228 15 228 32 + let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 229 14 229 42 + let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 225 4 225 10 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use prelude.prelude.Borrow + + type t_I'0 + + type t_Item'0 + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + + = + [%#siter4] produces'1 self.current visited o.current /\ self.final = o.final + + constant a : borrowed t_I'0 + + constant ab : Seq.seq t_Item'0 + + constant b : borrowed t_I'0 + + constant bc : Seq.seq t_Item'0 + + constant c : borrowed t_I'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (a : borrowed t_I'0) (ab : Seq.seq t_Item'0) (b : borrowed t_I'0) (bc : Seq.seq t_Item'0) (c : borrowed t_I'0) : () + + + goal vc_produces_trans'0 : ([%#siter1] produces'0 b bc c) + -> ([%#siter0] produces'0 a ab b) -> ([%#siter2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_unwrap_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 103 16 105 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 103 43 103 44 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 103 52 103 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 99 26 102 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'1 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_T'0)-> {inv'2 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_unwrap_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- t ] s4 + | s4 = bb8 ] + + | bb8 = bb9 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb9 + | bb9 = bb10 + | bb10 = bb11 + | bb11 = return' {_0} ] + ) + [ & _0 : t_T'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & _7 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body result type invariant] [%#soption2] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> postcondition_once'0 f () result + | C_Some'0 t -> result = t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_body [#"../../../creusot-contracts/src/std/option.rs" 131 16 133 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 131 35 131 36 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 123 27 126 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 131 44 131 53 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 127 26 130 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'1 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + type t_Option'0 = + | C_None'1 + | C_Some'1 t_U'0 + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'5 a_0 + end + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_map_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_map_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_9 <- (t) ] s2 + | s2 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_7 <- _ret' ] s3) + | s3 = bb7 ] + + | bb7 = bb8 + | bb8 = s0 [ s0 = [ &_0 <- C_Some'1 _7 ] s1 | s1 = bb9 ] + | bb9 = bb10 + | bb10 = bb11 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb11 ] + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'1 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _7 : t_U'0 = any_l () + | & _9 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_map_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'1 + | C_Some'0 t -> exists r : t_U'0 . result = C_Some'1 r /\ postcondition_once'0 f (t) r + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_inspect_body [#"../../../creusot-contracts/src/std/option.rs" 149 16 151 33] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 149 36 149 37 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 140 27 143 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 149 45 149 54 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 145 26 148 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant6] inv'4 self + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : ()) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:()))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'2 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any [ return' (result:())-> {inv'3 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_inspect_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = any [ br0 -> {self_ = C_None'0 } (! bb5) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb6) ] + | bb6 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_12 <- t ] s2 + | s2 = [ &_10 <- (_12) ] s3 + | s3 = call_once'0 {f} {_10} (fun (_ret':()) -> [ &_8 <- _ret' ] s4) + | s4 = bb8 ] + + | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] + | bb9 = bb10 + | bb10 = bb11 + | bb5 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb7 ] + | bb7 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb11 ] + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _8 : () = any_l () + | & _10 : t_T'0 = any_l () + | & _12 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_inspect_body result type invariant] [%#soption3] inv'1 result} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #0] [%#soption0] result = self_} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #1] [%#soption4] match self_ with + | C_None'0 -> true + | C_Some'0 t -> postcondition_once'0 f (t) () + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_body [#"../../../creusot-contracts/src/std/option.rs" 166 16 168 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 166 38 166 45 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 166 50 166 51 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 158 27 161 17 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 166 59 166 60 + let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 162 26 165 17 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_U'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_U'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops6] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'0 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_or_body'0 (self_:t_Option'0) (default:t_U'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'default' type invariant] [%#soption1] inv'0 default} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'f' type invariant] [%#soption2] inv'1 f} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body requires] [%#soption3] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 default} s1 + | s1 = -{resolve'0 default}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_9 <- (t) ] s4 + | s4 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) + | s5 = bb7 ] + + | bb7 = bb8 + | bb8 = bb9 + | bb9 = bb10 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- default ] s1 | s1 = bb10 ] + | bb10 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_U'0 = any_l () + | & self_ : t_Option'0 = self_ + | & default : t_U'0 = default + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _9 : t_T'0 = any_l () ] + + [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_body result type invariant] [%#soption4] inv'0 result} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body ensures] [%#soption5] match self_ with + | C_None'0 -> result = default + | C_Some'0 t -> postcondition_once'0 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 183 16 186 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 183 46 183 53 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 183 58 183 59 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 175 27 178 17 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 183 67 183 68 + let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 179 26 182 17 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_D'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_D'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_D'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = (let (x0) = x in inv'6 x0) + + predicate precondition'1 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate postcondition_once'1 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'4 args} + {[@expl:call_once requires] [%#sops6] precondition'1 self args} + any + [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'1 self args result} (! return' {result}) ] + + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_D'0) (args : ()) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_D'0) (args : ()) (result : t_U'0) + + + let rec call_once'1 (self:t_D'0) (args:()) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops6] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'6 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_or_else_body'0 (self_:t_Option'0) (default:t_D'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'default' type invariant] [%#soption1] inv'0 default} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'f' type invariant] [%#soption2] inv'1 f} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body requires] [%#soption3] match self_ with + | C_None'0 -> precondition'0 default () + | C_Some'0 t -> precondition'1 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 default} s1 + | s1 = -{resolve'0 default}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_11 <- (t) ] s4 + | s4 = call_once'0 {f} {_11} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) + | s5 = bb8 ] + + | bb8 = bb9 + | bb9 = bb10 + | bb10 = bb11 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = call_once'1 {default} {_8} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = bb14 + | bb14 = return' {_0} ] + ) + [ & _0 : t_U'0 = any_l () + | & self_ : t_Option'0 = self_ + | & default : t_D'0 = default + | & f : t_F'0 = f + | & _8 : () = any_l () + | & t : t_T'0 = any_l () + | & _11 : t_T'0 = any_l () ] + + [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body result type invariant] [%#soption4] inv'3 result} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body ensures] [%#soption5] match self_ with + | C_None'0 -> postcondition_once'0 default () result + | C_Some'0 t -> postcondition_once'1 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_ok_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 204 16 206 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 204 42 204 45 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 204 53 204 65 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 200 26 203 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_E'0 + + type t_Result'0 = + | C_Ok'0 t_T'0 + | C_Err'0 t_E'0 + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_E'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_E'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_E'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_E'0)-> {inv'4 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'5 a_0 + end + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Result'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Result'0 [inv'2 x] . inv'2 x + = match x with + | C_Ok'0 a_0 -> inv'5 a_0 + | C_Err'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_ok_or_else_body'0 (self_:t_Option'0) (err:t_F'0) (return' (ret:t_Result'0))= {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'err' type invariant] [%#soption1] inv'0 err} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 err ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 err} s1 + | s1 = -{resolve'0 err}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- C_Ok'0 t ] s4 + | s4 = bb9 ] + + | bb9 = bb10 + | bb10 = bb11 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {err} {_8} (fun (_ret':t_E'0) -> [ &_6 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = s0 [ s0 = [ &_0 <- C_Err'0 _6 ] s1 | s1 = bb8 ] + | bb8 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Result'0 = any_l () + | & self_ : t_Option'0 = self_ + | & err : t_F'0 = err + | & _6 : t_E'0 = any_l () + | & _8 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_Result'0)-> {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body result type invariant] [%#soption2] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> exists r : t_E'0 . result = C_Err'0 r /\ postcondition_once'0 err () r + | C_Some'0 t -> result = C_Ok'0 t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_and_then_body [#"../../../creusot-contracts/src/std/option.rs" 234 16 236 45] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 234 40 234 41 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 226 27 229 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 234 49 234 58 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 230 26 233 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'1 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + type t_Option'0 = + | C_None'1 + | C_Some'1 t_U'0 + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'5 a_0 + end + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_Option'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_Option'0)-> {inv'2 result} + {[%#sops5] postcondition_once'0 self args result} + (! return' {result}) ] + + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_and_then_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_8 <- (t) ] s2 + | s2 = call_once'0 {f} {_8} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s3) + | s3 = bb7 ] + + | bb7 = bb8 + | bb8 = bb9 + | bb9 = bb10 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb10 ] + | bb10 = bb11 + | bb11 = bb12 + | bb12 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'1 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _8 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_and_then_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'1 + | C_Some'0 t -> postcondition_once'0 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_filter_body [#"../../../creusot-contracts/src/std/option.rs" 254 16 256 41] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 254 35 254 44 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 243 27 246 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 254 52 254 61 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 247 26 253 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_P'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + + use prelude.prelude.Borrow + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant6] inv'0 self + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : t_T'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + + axiom inv_axiom'2 [@rewrite] : forall x : bool [inv'4 x] . inv'4 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : t_T'0) (result : bool) + + + let rec call_once'0 (self:t_P'0) (args:t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:bool)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'0 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_filter_body'0 (self_:t_Option'0) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_filter_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_filter_body 'predicate' type invariant] [%#soption1] inv'1 predicate'} + {[@expl:extern_spec_std_option_T_Option_T_filter_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 predicate' (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_11 <- t ] s2 + | s2 = [ &_9 <- (_11) ] s3 + | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) + | s4 = bb7 ] + + | bb7 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] + | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] + | bb9 = bb12 + | bb10 = s0 [ s0 = {[@expl:type invariant] inv'0 t} s1 | s1 = -{resolve'0 t}- s2 | s2 = bb11 ] + | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] + | bb12 = bb13 + | bb13 = bb14 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 predicate'} s1 | s1 = -{resolve'1 predicate'}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb14 ] + | bb14 = bb15 + | bb15 = bb16 + | bb16 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & predicate' : t_P'0 = predicate' + | & t : t_T'0 = any_l () + | & _7 : bool = any_l () + | & _9 : t_T'0 = any_l () + | & _11 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_filter_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_filter_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'0 + | C_Some'0 t -> match result with + | C_None'0 -> postcondition_once'0 predicate' (t) false /\ resolve'0 t + | C_Some'0 r -> postcondition_once'0 predicate' (t) true /\ r = t + end + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 273 16 275 44] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 273 36 273 37 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 273 45 273 54 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 269 26 272 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'1 [@rewrite] : forall x : () [inv'2 x] . inv'2 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'3 a_0 + end + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_Option'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'2 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_Option'0)-> {inv'1 result} + {[%#sops4] postcondition_once'0 self args result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- C_Some'0 t ] s4 + | s4 = bb8 ] + + | bb8 = bb9 + | bb9 = bb10 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb10 + | bb10 = bb11 + | bb11 = bb12 + | bb12 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & _7 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_or_else_body result type invariant] [%#soption2] inv'1 result} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> postcondition_once'0 f () result + | C_Some'0 t -> result = C_Some'0 t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_get_or_insert_with_body [#"../../../creusot-contracts/src/std/option.rs" 311 16 313 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 311 52 311 53 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 306 27 306 63 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 311 61 311 67 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 307 26 310 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span soption6 = "../../../creusot-contracts/src/std/option.rs" 62 26 62 75 + let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 64 20 65 100 + let%span sresolve8 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sresolve9 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 + let%span sinvariant10 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant10] inv'1 self.current /\ inv'1 self.final + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + + predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve8] self.final = self.current + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'4 _1 + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'3 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_T'0)-> {inv'1 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'1 a_0 + end + + predicate resolve'7 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + + predicate resolve'5 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = + [%#sresolve9] match self with + | C_Some'0 x -> resolve'7 x + | C_None'0 -> true + end + + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Option'0) = + resolve'5 _1 + + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = + [%#sinvariant10] inv'3 self.current /\ inv'3 self.final + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + + axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'4 x] . inv'4 x = invariant'1 x + + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_T'0) + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'4 [@rewrite] : forall x : t_Option'1 [inv'6 x] . inv'6 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'2 a_0 + end + + let rec as_mut'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'1))= {[@expl:as_mut 'self' type invariant] inv'4 self} + any + [ return' (result:t_Option'1)-> {inv'6 result} + {[%#soption6] self.current = C_None'0 -> result = C_None'1 /\ self.final = C_None'0} + {[%#soption7] self.current = C_None'0 + \/ (exists r : borrowed t_T'0 . result = C_Some'1 r + /\ self.current = C_Some'0 (r.current) /\ self.final = C_Some'0 (r.final))} + (! return' {result}) ] + + + let rec unwrap'0 (self:t_Option'1) (return' (ret:borrowed t_T'0))= {[@expl:unwrap 'self' type invariant] inv'6 self} + {[@expl:unwrap requires] [%#soption0] self <> C_None'1} + any [ return' (result:borrowed t_T'0)-> {inv'2 result} {[%#soption0] C_Some'1 result = self} (! return' {result}) ] + + predicate resolve'6 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = + [%#sresolve8] self.final = self.current + + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = + resolve'6 _1 + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_get_or_insert_with_body'0 (self_:borrowed (t_Option'0)) (f:t_F'0) (return' (ret:borrowed t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'self_' type invariant] [%#soption0] inv'4 self_} {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'f' type invariant] [%#soption1] inv'0 f} {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body requires] [%#soption2] self_.current = C_None'0 -> precondition'0 f ()} @@ -6022,3455 +7932,4705 @@ module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T | s5 = -{resolve'1 t}- s6 | s6 = bb14 ] - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_12} (fun (_ret':t_T'0) -> [ &_10 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = s0 [ s0 = [ &_9 <- C_Some'0 _10 ] s1 | s1 = bb8 ] - | bb8 = bb9 - | bb9 = s0 - [ s0 = {[@expl:type invariant] match self_ with - | {current = x'0} -> inv'3 x'0 - | _ -> true - end} - s1 - | s1 = -{match self_ with - | {current = x'1} -> resolve'2 x'1 - | _ -> true - end}- - s2 - | s2 = [ &self_ <- { self_ with current = _9 } ] s3 - | s3 = bb11 ] + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_12} (fun (_ret':t_T'0) -> [ &_10 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = s0 [ s0 = [ &_9 <- C_Some'0 _10 ] s1 | s1 = bb8 ] + | bb8 = bb9 + | bb9 = s0 + [ s0 = {[@expl:type invariant] match self_ with + | {current = x'0} -> inv'3 x'0 + | _ -> true + end} + s1 + | s1 = -{match self_ with + | {current = x'1} -> resolve'2 x'1 + | _ -> true + end}- + s2 + | s2 = [ &self_ <- { self_ with current = _9 } ] s3 + | s3 = bb11 ] + + | bb11 = s0 + [ s0 = {inv'3 self_.current} + Borrow.borrow_final {self_.current} {Borrow.get_id self_} + (fun (_ret':borrowed (t_Option'0)) -> + [ &_15 <- _ret' ] + -{inv'3 _ret'.final}- + [ &self_ <- { self_ with current = _ret'.final } ] + s1) + | s1 = as_mut'0 {_15} (fun (_ret':t_Option'1) -> [ &_14 <- _ret' ] s2) + | s2 = bb12 ] + + | bb12 = s0 [ s0 = unwrap'0 {_14} (fun (_ret':borrowed t_T'0) -> [ &_13 <- _ret' ] s1) | s1 = bb13 ] + | bb13 = s0 + [ s0 = {inv'1 _13.current} + Borrow.borrow_final {_13.current} {Borrow.get_id _13} + (fun (_ret':borrowed t_T'0) -> + [ &_8 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_13 <- { _13 with current = _ret'.final } ] + s1) + | s1 = {inv'1 _8.current} + Borrow.borrow_final {_8.current} {Borrow.get_id _8} + (fun (_ret':borrowed t_T'0) -> + [ &_6 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_8 <- { _8 with current = _ret'.final } ] + s2) + | s2 = {[@expl:type invariant] inv'2 _13} s3 + | s3 = -{resolve'1 _13}- s4 + | s4 = {[@expl:type invariant] inv'2 _8} s5 + | s5 = -{resolve'1 _8}- s6 + | s6 = bb14 ] + + | bb14 = s0 + [ s0 = {inv'1 _6.current} + Borrow.borrow_final {_6.current} {Borrow.get_id _6} + (fun (_ret':borrowed t_T'0) -> + [ &_3 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_6 <- { _6 with current = _ret'.final } ] + s1) + | s1 = {inv'1 _3.current} + Borrow.borrow_final {_3.current} {Borrow.get_id _3} + (fun (_ret':borrowed t_T'0) -> + [ &_0 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_3 <- { _3 with current = _ret'.final } ] + s2) + | s2 = {[@expl:type invariant] inv'2 _6} s3 + | s3 = -{resolve'1 _6}- s4 + | s4 = {[@expl:type invariant] inv'2 _3} s5 + | s5 = -{resolve'1 _3}- s6 + | s6 = bb15 ] + + | bb15 = s0 [ s0 = {[@expl:type invariant] inv'4 self_} s1 | s1 = -{resolve'3 self_}- s2 | s2 = return' {_0} ] ] + ) + [ & _0 : borrowed t_T'0 = any_l () + | & self_ : borrowed (t_Option'0) = self_ + | & f : t_F'0 = f + | & _3 : borrowed t_T'0 = any_l () + | & _6 : borrowed t_T'0 = any_l () + | & _8 : borrowed t_T'0 = any_l () + | & _9 : t_Option'0 = any_l () + | & _10 : t_T'0 = any_l () + | & _12 : () = any_l () + | & _13 : borrowed t_T'0 = any_l () + | & _14 : t_Option'1 = any_l () + | & _15 : borrowed (t_Option'0) = any_l () + | & t : borrowed t_T'0 = any_l () ] + + [ return' (result:borrowed t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body ensures] [%#soption4] match self_.current with + | C_None'0 -> postcondition_once'0 f () result.current /\ self_.final = C_Some'0 (result.final) + | C_Some'0 _ -> self_.current = C_Some'0 (result.current) /\ self_.final = C_Some'0 (result.final) + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_take_if_body [#"../../../creusot-contracts/src/std/option.rs" 338 16 340 45] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 338 41 338 50 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 324 27 327 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 338 58 338 67 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 328 26 337 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sresolve6 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant7 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + use prelude.prelude.Borrow + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_P'0 + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant7] inv'0 self.current /\ inv'0 self.final + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'5 x] . inv'5 x = (let (x0) = x in inv'1 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : borrowed t_T'0) + + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + + axiom inv_axiom'4 [@rewrite] : forall x : bool [inv'6 x] . inv'6 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : borrowed t_T'0) (result : bool) + + + let rec call_once'0 (self:t_P'0) (args:borrowed t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'4 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:bool)-> {inv'6 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve6] self.final = self.current + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'3 _1 + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'0 a_0 + end + + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = + [%#sinvariant7] inv'2 self.current /\ inv'2 self.final + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + + axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'3 x] . inv'3 x = invariant'1 x + + let rec take'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'0))= {[@expl:take 'self' type invariant] inv'3 self} + any + [ return' (result:t_Option'0)-> {inv'2 result} + {[%#soption0] result = self.current /\ self.final = C_None'0} + (! return' {result}) ] + + + predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = + [%#sresolve6] self.final = self.current + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = + resolve'4 _1 + + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_take_if_body'0 (self_:borrowed (t_Option'0)) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'self_' type invariant] [%#soption0] inv'3 self_} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'predicate' type invariant] [%#soption1] inv'4 predicate'} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body requires] [%#soption2] match self_.current with + | C_None'0 -> true + | C_Some'0 t -> forall b : borrowed t_T'0 . inv'1 b /\ b.current = t -> precondition'0 predicate' (b) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_.current} + (fun (r0'0:t_T'0) -> + {inv'0 r0'0} + Borrow.borrow_mut {r0'0} + (fun (_ret':borrowed t_T'0) -> + [ &t <- _ret' ] + -{inv'0 _ret'.final}- + [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] + s1)) + | s1 = {inv'0 t.current} + Borrow.borrow_final {t.current} {Borrow.get_id t} + (fun (_ret':borrowed t_T'0) -> + [ &_10 <- _ret' ] + -{inv'0 _ret'.final}- + [ &t <- { t with current = _ret'.final } ] + s2) + | s2 = [ &_9 <- (_10) ] s3 + | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) + | s4 = bb7 ] + + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'1 t} s1 + | s1 = -{resolve'0 t}- s2 + | s2 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] ] - | bb11 = s0 - [ s0 = {inv'3 self_.current} + | bb8 = s0 + [ s0 = {inv'2 self_.current} Borrow.borrow_final {self_.current} {Borrow.get_id self_} (fun (_ret':borrowed (t_Option'0)) -> - [ &_15 <- _ret' ] - -{inv'3 _ret'.final}- + [ &_11 <- _ret' ] + -{inv'2 _ret'.final}- [ &self_ <- { self_ with current = _ret'.final } ] s1) - | s1 = as_mut'0 {_15} (fun (_ret':t_Option'1) -> [ &_14 <- _ret' ] s2) - | s2 = bb12 ] - - | bb12 = s0 [ s0 = unwrap'0 {_14} (fun (_ret':borrowed t_T'0) -> [ &_13 <- _ret' ] s1) | s1 = bb13 ] - | bb13 = s0 - [ s0 = {inv'1 _13.current} - Borrow.borrow_final {_13.current} {Borrow.get_id _13} - (fun (_ret':borrowed t_T'0) -> - [ &_8 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_13 <- { _13 with current = _ret'.final } ] - s1) - | s1 = {inv'1 _8.current} - Borrow.borrow_final {_8.current} {Borrow.get_id _8} - (fun (_ret':borrowed t_T'0) -> - [ &_6 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_8 <- { _8 with current = _ret'.final } ] - s2) - | s2 = {[@expl:type invariant] inv'2 _13} s3 - | s3 = -{resolve'1 _13}- s4 - | s4 = {[@expl:type invariant] inv'2 _8} s5 - | s5 = -{resolve'1 _8}- s6 - | s6 = bb14 ] + | s1 = take'0 {_11} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s2) + | s2 = bb9 ] - | bb14 = s0 - [ s0 = {inv'1 _6.current} - Borrow.borrow_final {_6.current} {Borrow.get_id _6} - (fun (_ret':borrowed t_T'0) -> - [ &_3 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_6 <- { _6 with current = _ret'.final } ] - s1) - | s1 = {inv'1 _3.current} - Borrow.borrow_final {_3.current} {Borrow.get_id _3} - (fun (_ret':borrowed t_T'0) -> - [ &_0 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_3 <- { _3 with current = _ret'.final } ] - s2) - | s2 = {[@expl:type invariant] inv'2 _6} s3 - | s3 = -{resolve'1 _6}- s4 - | s4 = {[@expl:type invariant] inv'2 _3} s5 - | s5 = -{resolve'1 _3}- s6 - | s6 = bb15 ] + | bb9 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb12 ] + | bb10 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb11 ] + | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] + | bb12 = bb13 + | bb4 = s0 + [ s0 = {[@expl:type invariant] inv'4 predicate'} s1 + | s1 = -{resolve'2 predicate'}- s2 + | s2 = {[@expl:type invariant] inv'3 self_} s3 + | s3 = -{resolve'1 self_}- s4 + | s4 = bb6 ] - | bb15 = s0 [ s0 = {[@expl:type invariant] inv'4 self_} s1 | s1 = -{resolve'3 self_}- s2 | s2 = return' {_0} ] ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb13 ] + | bb13 = bb14 + | bb14 = return' {_0} ] ) - [ & _0 : borrowed t_T'0 = any_l () + [ & _0 : t_Option'0 = any_l () | & self_ : borrowed (t_Option'0) = self_ - | & f : t_F'0 = f - | & _3 : borrowed t_T'0 = any_l () - | & _6 : borrowed t_T'0 = any_l () - | & _8 : borrowed t_T'0 = any_l () - | & _9 : t_Option'0 = any_l () - | & _10 : t_T'0 = any_l () - | & _12 : () = any_l () - | & _13 : borrowed t_T'0 = any_l () - | & _14 : t_Option'1 = any_l () - | & _15 : borrowed (t_Option'0) = any_l () - | & t : borrowed t_T'0 = any_l () ] + | & predicate' : t_P'0 = predicate' + | & t : borrowed t_T'0 = any_l () + | & _7 : bool = any_l () + | & _9 : borrowed t_T'0 = any_l () + | & _10 : borrowed t_T'0 = any_l () + | & _11 : borrowed (t_Option'0) = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_take_if_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body ensures] [%#soption4] match self_.current with + | C_None'0 -> result = C_None'0 /\ self_.final = C_None'0 + | C_Some'0 cur -> exists b : borrowed t_T'0, res : bool . inv'1 b + /\ cur = b.current + /\ postcondition_once'0 predicate' (b) res + /\ (if res then + self_.final = C_None'0 /\ result = C_Some'0 (b.final) + else + self_.final = C_Some'0 (b.final) /\ result = C_None'0 + ) + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Greater'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Less'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Less'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Greater'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption2] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : t_Option'0) : () + + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption4] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + constant z : t_Option'0 + + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : t_Option'0) (y : t_Option'0) (z : t_Option'0) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - [ return' (result:borrowed t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body ensures] [%#soption4] match self_.current with - | C_None'0 -> postcondition_once'0 f () result.current /\ self_.final = C_Some'0 (result.final) - | C_Some'0 _ -> self_.current = C_Some'0 (result.current) /\ self_.final = C_Some'0 (result.final) - end} - (! return' {result}) ] + = + [%#soption2] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : t_Option'0) (y : t_Option'0) : () + + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 476 14 476 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 474 4 474 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + + use seq.Seq + + type t_T'0 + + use seq.Seq + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + constant self : t_IntoIter'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (self : t_IntoIter'0) : () + + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 481 15 481 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 482 15 482 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 483 14 483 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 479 4 479 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + use seq.Seq + + constant a : t_IntoIter'0 + + constant ab : Seq.seq t_T'0 + + constant b : t_IntoIter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_take_if_body [#"../../../creusot-contracts/src/std/option.rs" 338 16 340 45] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 338 41 338 50 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 324 27 327 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 338 58 338 67 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 328 26 337 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sresolve6 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant7 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 +module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 529 14 529 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 527 4 527 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_Iter'0 = + { t_Iter__inner'0: t_Item'0 } + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + constant self : t_Iter'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (self : t_Iter'0) : () + + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 534 15 534 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 535 15 535 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 536 14 536 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 532 4 532 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + + use prelude.prelude.Borrow + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_Iter'0 = + { t_Iter__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + use seq.Seq + + constant a : t_Iter'0 + + constant ab : Seq.seq t_T'0 + + constant b : t_Iter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_Iter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + + + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 585 14 585 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 583 4 583 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq + + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_T'0) + + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_IterMut'0 = + { t_IterMut__inner'0: t_Item'0 } + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + + = + [%#soption2] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o + \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + constant self : t_IterMut'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (self : t_IterMut'0) : () + + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self +end +module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 590 15 590 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 591 15 591 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 592 14 592 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 588 4 588 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + + use prelude.prelude.Borrow type t_T'0 type t_Option'0 = | C_None'0 - | C_Some'0 t_T'0 - - use prelude.prelude.Borrow + | C_Some'0 (borrowed t_T'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + type t_IterMut'0 = + { t_IterMut__inner'0: t_Item'0 } - type t_P'0 + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant7] inv'0 self.current /\ inv'0 self.final + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + + = + [%#soption4] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o + \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + use seq.Seq - axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'5 x] . inv'5 x = (let (x0) = x in inv'1 x0) + constant a : t_IterMut'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : borrowed t_T'0) - + constant ab : Seq.seq (borrowed t_T'0) - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + constant b : t_IterMut'0 - axiom inv_axiom'4 [@rewrite] : forall x : bool [inv'6 x] . inv'6 x = true + constant bc : Seq.seq (borrowed t_T'0) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : borrowed t_T'0) (result : bool) - + constant c : t_IterMut'0 - let rec call_once'0 (self:t_P'0) (args:borrowed t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'4 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:bool)-> {inv'6 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve6] self.final = self.current - - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'3 _1 + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__ptr__qyi17063894948818224584__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (* <*const T as std::ptr::PointerExt> *) + let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Opaque - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'0 a_0 - end + use prelude.prelude.Int - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = - [%#sinvariant7] inv'2 self.current /\ inv'2 self.final + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + constant self : opaque_ptr - axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'3 x] . inv'3 x = invariant'1 x + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool - let rec take'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'0))= {[@expl:take 'self' type invariant] inv'3 self} - any - [ return' (result:t_Option'0)-> {inv'2 result} - {[%#soption0] result = self.current /\ self.final = C_None'0} - (! return' {result}) ] - + goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) +end +module M_creusot_contracts__stdqy35z1__ptr__qyi4877913266695965320__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (* <*mut T as std::ptr::PointerExt> *) + let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 96 14 96 48 + let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 98 8 98 30 - predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = - [%#sresolve6] self.final = self.current + use prelude.prelude.Opaque - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = - resolve'4 _1 + use prelude.prelude.Int - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 90 4 90 30] (self : opaque_ptr) : int - use prelude.prelude.Intrinsic + constant self : opaque_ptr - meta "compute_max_steps" 1000000 + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (self : opaque_ptr) : bool - let rec extern_spec_std_option_T_Option_T_take_if_body'0 (self_:borrowed (t_Option'0)) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'self_' type invariant] [%#soption0] inv'3 self_} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'predicate' type invariant] [%#soption1] inv'4 predicate'} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body requires] [%#soption2] match self_.current with - | C_None'0 -> true - | C_Some'0 t -> forall b : borrowed t_T'0 . inv'1 b /\ b.current = t -> precondition'0 predicate' (b) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_.current} - (fun (r0'0:t_T'0) -> - {inv'0 r0'0} - Borrow.borrow_mut {r0'0} - (fun (_ret':borrowed t_T'0) -> - [ &t <- _ret' ] - -{inv'0 _ret'.final}- - [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] - s1)) - | s1 = {inv'0 t.current} - Borrow.borrow_final {t.current} {Borrow.get_id t} - (fun (_ret':borrowed t_T'0) -> - [ &_10 <- _ret' ] - -{inv'0 _ret'.final}- - [ &t <- { t with current = _ret'.final } ] - s2) - | s2 = [ &_9 <- (_10) ] s3 - | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) - | s4 = bb7 ] - - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'1 t} s1 - | s1 = -{resolve'0 t}- s2 - | s2 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] ] - - | bb8 = s0 - [ s0 = {inv'2 self_.current} - Borrow.borrow_final {self_.current} {Borrow.get_id self_} - (fun (_ret':borrowed (t_Option'0)) -> - [ &_11 <- _ret' ] - -{inv'2 _ret'.final}- - [ &self_ <- { self_ with current = _ret'.final } ] - s1) - | s1 = take'0 {_11} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s2) - | s2 = bb9 ] - - | bb9 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb12 ] - | bb10 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb11 ] - | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] - | bb12 = bb13 - | bb4 = s0 - [ s0 = {[@expl:type invariant] inv'4 predicate'} s1 - | s1 = -{resolve'2 predicate'}- s2 - | s2 = {[@expl:type invariant] inv'3 self_} s3 - | s3 = -{resolve'1 self_}- s4 - | s4 = bb6 ] - - | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb13 ] - | bb13 = bb14 - | bb14 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : borrowed (t_Option'0) = self_ - | & predicate' : t_P'0 = predicate' - | & t : borrowed t_T'0 = any_l () - | & _7 : bool = any_l () - | & _9 : borrowed t_T'0 = any_l () - | & _10 : borrowed t_T'0 = any_l () - | & _11 : borrowed (t_Option'0) = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_take_if_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body ensures] [%#soption4] match self_.current with - | C_None'0 -> result = C_None'0 /\ self_.final = C_None'0 - | C_Some'0 cur -> exists b : borrowed t_T'0, res : bool . inv'1 b - /\ cur = b.current - /\ postcondition_once'0 predicate' (b) res - /\ (if res then - self_.final = C_None'0 /\ result = C_Some'0 (b.final) - else - self_.final = C_Some'0 (b.final) /\ result = C_None'0 - ) - end} - (! return' {result}) ] - + goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 - - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 - - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 - - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - +module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 411 14 411 45 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 409 4 409 10 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use prelude.prelude.Borrow - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Iter'0 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Slice - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.UIntSize - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + constant v_MAX'0 : usize = (18446744073709551615 : usize) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Int - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Slice - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice8] view'2 self = Slice.id self) - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel5] view'2 self - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sindex6] Seq.get (view'2 self) ix - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Option'0) (o : t_Option'0) : bool - - = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - constant x : t_Option'0 + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - constant y : t_Option'0 + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : t_Option'0) (y : t_Option'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + = + [%#sslice2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant self : t_Iter'0 - type t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (self : t_Iter'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 416 15 416 32 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 417 15 417 32 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 418 14 418 42 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 414 4 414 10 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use prelude.prelude.Opaque - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_Iter'0 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use prelude.prelude.Borrow - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Slice - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.UIntSize - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + constant v_MAX'0 : usize = (18446744073709551615 : usize) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Int - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Slice - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice10] view'2 self = Slice.id self) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel7] view'2 self - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex8] Seq.get (view'2 self) ix - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - - = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + use seq.Seq - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Option'0) (o : t_Option'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#sord2] cmp_log'0 self o = C_Less'0 + [%#sslice4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant x : t_Option'0 + constant a : t_Iter'0 - constant y : t_Option'0 + constant ab : Seq.seq t_T'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : t_Option'0) (y : t_Option'0) : () - + constant b : t_Iter'0 - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant bc : Seq.seq t_T'0 - type t_T'0 + constant c : t_Iter'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) + -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 465 14 465 45 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 463 4 463 10 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + let%span smodel8 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sindex9 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_T'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Opaque - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_IterMut'0 = + { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.UIntSize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.UIntSize - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Slice - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Slice - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice6] Seq.length (view'1 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice7] view'1 self = Slice.id self) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice3] Seq.length (view'1 (view'0 self).final) + = Seq.length (view'1 (view'0 self).current) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + + = + [%#smodel8] view'1 self.current - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sindex9] Seq.get (view'1 self) ix - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Option'0) (o : t_Option'0) : bool + function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - = - [%#sord2] cmp_log'0 self o <> C_Less'0 - constant x : t_Option'0 + axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice4] Seq.length (to_mut_seq'0 self) + = Seq.length (view'2 self)) + && ([%#sslice5] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) + -> Seq.get (to_mut_seq'0 self) i + = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) - constant y : t_Option'0 + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : t_Option'0) (y : t_Option'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + = + [%#sslice2] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) + constant self : t_IterMut'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (self : t_IterMut'0) : () + + goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 470 15 470 32 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 471 15 471 32 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 472 14 472 42 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 468 4 468 10 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + let%span smodel10 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sindex11 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - type t_T'0 + use prelude.prelude.Opaque - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_IterMut'0 = + { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Borrow - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.UIntSize - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.Int - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Slice - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Slice - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice8] Seq.length (view'1 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice9] view'1 self = Slice.id self) - axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice5] Seq.length (view'1 (view'0 self).final) + = Seq.length (view'1 (view'0 self).current) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + + = + [%#smodel10] view'1 self.current - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex11] Seq.get (view'1 self) ix - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice6] Seq.length (to_mut_seq'0 self) + = Seq.length (view'2 self)) + && ([%#sslice7] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) + -> Seq.get (to_mut_seq'0 self) i + = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sslice4] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Option'0) (o : t_Option'0) : bool - - = - [%#sord2] cmp_log'0 self o = C_Greater'0 + constant a : t_IterMut'0 - constant x : t_Option'0 + constant ab : Seq.seq (borrowed t_T'0) - constant y : t_Option'0 + constant b : t_IterMut'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : t_Option'0) (y : t_Option'0) : () + constant bc : Seq.seq (borrowed t_T'0) + + constant c : t_IterMut'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) + goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) + -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 +module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_refl [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (* as std::iter::Iterator> *) + let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 270 14 270 45 + let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 268 4 268 10 + let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_T'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + type t_A'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_A'0 } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_IntoIter'0 = + { t_IntoIter__buf'0: t_NonNull'0; + t_IntoIter__phantom'0: (); + t_IntoIter__cap'0: usize; + t_IntoIter__alloc'0: t_ManuallyDrop'0; + t_IntoIter__ptr'0: t_NonNull'0; + t_IntoIter__end'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use seq.Seq - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + + = + [%#svec2] view'0 self = Seq.(++) visited (view'0 rhs) - axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + constant self : t_IntoIter'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (self : t_IntoIter'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_refl'0 : [%#svec0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_trans [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (* as std::iter::Iterator> *) + let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 275 15 275 32 + let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 276 15 276 32 + let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 277 14 277 42 + let%span svec3 = "../../../creusot-contracts/src/std/vec.rs" 273 4 273 10 + let%span svec4 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Opaque - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_A'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_A'0 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_IntoIter'0 = + { t_IntoIter__buf'0: t_NonNull'0; + t_IntoIter__phantom'0: (); + t_IntoIter__cap'0: usize; + t_IntoIter__alloc'0: t_ManuallyDrop'0; + t_IntoIter__ptr'0: t_NonNull'0; + t_IntoIter__end'0: opaque_ptr } - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_T'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) = - [%#soption2] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#svec4] view'0 self = Seq.(++) visited (view'0 rhs) - constant x : t_Option'0 + constant a : t_IntoIter'0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : t_Option'0) : () + constant ab : Seq.seq t_T'0 - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 + constant b : t_IntoIter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + + goal vc_produces_trans'0 : ([%#svec1] produces'0 b bc c) + -> ([%#svec0] produces'0 a ab b) -> ([%#svec2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_T'0 + use prelude.prelude.Real - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - - - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + constant y : Real.real - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : Real.real) (y : Real.real) : () - axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + goal vc_cmp_le_log'0 : [%#sord0] Real.(<=) x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Real - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + constant y : Real.real - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : Real.real) (y : Real.real) : () + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + goal vc_cmp_lt_log'0 : [%#sord0] Real.(<) x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use prelude.prelude.Real - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Real - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use prelude.prelude.Real - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 = - [%#soption4] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end - - constant x : t_Option'0 - - constant y : t_Option'0 + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant z : t_Option'0 + constant x : Real.real - constant o : t_Ordering'0 + constant y : Real.real - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : t_Option'0) (y : t_Option'0) (z : t_Option'0) (o : t_Ordering'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : Real.real) (y : Real.real) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) + goal vc_cmp_ge_log'0 : [%#sord0] Real.(>=) x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_T'0 + use prelude.prelude.Real - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : Real.real - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : Real.real) (y : Real.real) : () + - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + goal vc_cmp_gt_log'0 : [%#sord0] Real.(>) x y = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Real - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + constant x : Real.real - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : Real.real) : () - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span snum_rational4 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Real - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Real - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational4] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + constant y : Real.real - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + constant z : Real.real - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + constant o : t_Ordering'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : Real.real) (y : Real.real) (z : Real.real) (o : t_Ordering'0) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : t_Option'0 + constant x : Real.real - constant y : t_Option'0 + constant y : Real.real - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : t_Option'0) (y : t_Option'0) : () - + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : Real.real) (y : Real.real) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* as logic::ord::OrdLogic> *) +module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : Real.real - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : Real.real) (y : Real.real) : () - axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.Real - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant x : Real.real - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + constant y : Real.real - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : Real.real) (y : Real.real) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__ghost__qyi17645547594388049322__clone [#"../../../creusot-contracts/src/ghost.rs" 50 4 50 27] (* as std::clone::Clone> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 50 14 50 18 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 50 23 50 27 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 49 14 49 29 + let%span sclone3 = "../../../creusot-contracts/src/std/clone.rs" 7 0 20 1 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_T'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'4 self - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'2 x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant4] inv'3 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - - = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + let rec clone'1 (self:t_T'0) (return' (ret:t_T'0))= {[@expl:clone 'self' type invariant] inv'2 self} + any [ return' (result:t_T'0)-> {inv'3 result} {[%#sclone3] result = self} (! return' {result}) ] - constant x : t_Option'0 + use prelude.prelude.Intrinsic - constant y : t_Option'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : t_Option'0) (y : t_Option'0) : () - + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'3 a_0 + end - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = + [%#sinvariant4] inv'1 self - type t_T'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + meta "compute_max_steps" 1000000 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + let rec clone'0 (self:t_GhostBox'0) (return' (ret:t_GhostBox'0))= {[@expl:clone 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 [ s0 = clone'1 {self.t_GhostBox__0'0} (fun (_ret':t_T'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = _3 } ] s1 | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'0 = self | & _3 : t_T'0 = any_l () ] + [ return' (result:t_GhostBox'0)-> {[@expl:clone result type invariant] [%#sghost1] inv'1 result} + {[@expl:clone ensures] [%#sghost2] result = self} + (! return' {result}) ] +end +module M_creusot_contracts__ghost__qyi1862168959261460300__deref [#"../../../creusot-contracts/src/ghost.rs" 69 4 69 36] (* as std::ops::Deref> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 69 23 69 36 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 + let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) - - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use prelude.prelude.Borrow - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Intrinsic - axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'3 self - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'2 x] . inv'2 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = + [%#sinvariant3] inv'2 self - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant3] inv'3 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'1 x - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + meta "compute_max_steps" 1000000 - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + let rec deref'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:deref 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 + [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 + | s1 = [ &_4 <- _5 ] s2 + | s2 = [ &_2 <- _4 ] s3 + | s3 = [ &_0 <- _2 ] s4 + | s4 = return' {_0} ] + ] + ) + [ & _0 : t_T'0 = any_l () + | & self : t_GhostBox'0 = self + | & _2 : t_T'0 = any_l () + | & _4 : t_T'0 = any_l () + | & _5 : t_T'0 = any_l () ] - = - [%#soption2] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [ return' (result:t_T'0)-> {[@expl:deref result type invariant] [%#sghost1] inv'1 result} + {[@expl:deref ensures] [%#sghost2] self.t_GhostBox__0'0 = result} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi17214052996668775070__deref_mut [#"../../../creusot-contracts/src/ghost.rs" 85 4 85 48] (* as std::ops::DerefMut> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 85 22 85 26 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 85 31 85 48 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 84 14 84 36 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - constant x : t_Option'0 + use prelude.prelude.Borrow - constant y : t_Option'0 + type t_T'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : t_Option'0) (y : t_Option'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 476 14 476 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 474 4 474 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant4] inv'0 self.current /\ inv'0 self.final - type t_T'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'2 _1 - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'0 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant self : t_IntoIter'0 + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (self : t_IntoIter'0) : () + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'0)) = + [%#sinvariant4] inv'3 self.current /\ inv'3 self.final - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 481 15 481 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 482 15 482 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 483 14 483 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 479 4 479 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'0)) - type t_T'0 + axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'0) [inv'2 x] . inv'2 x = invariant'1 x - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'0)) = + [%#sresolve3] self.final = self.current - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'0)) = + resolve'3 _1 - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + use prelude.prelude.Intrinsic - use seq.Seq + meta "compute_max_steps" 1000000 - use seq.Seq + let rec deref_mut'0 (self:borrowed (t_GhostBox'0)) (return' (ret:borrowed t_T'0))= {[@expl:deref_mut 'self' type invariant] [%#sghost0] inv'2 self} + (! bb0 + [ bb0 = s0 + [ s0 = {inv'0 (self.current).t_GhostBox__0'0} + Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_T'0) -> + [ &_5 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] + s1) + | s1 = {inv'0 _5.current} + Borrow.borrow_final {_5.current} {Borrow.get_id _5} + (fun (_ret':borrowed t_T'0) -> + [ &_4 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_5 <- { _5 with current = _ret'.final } ] + s2) + | s2 = {inv'0 _4.current} + Borrow.borrow_final {_4.current} {Borrow.get_id _4} + (fun (_ret':borrowed t_T'0) -> + [ &_2 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_4 <- { _4 with current = _ret'.final } ] + s3) + | s3 = {inv'0 _2.current} + Borrow.borrow_final {_2.current} {Borrow.get_id _2} + (fun (_ret':borrowed t_T'0) -> + [ &_0 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_2 <- { _2 with current = _ret'.final } ] + s4) + | s4 = {[@expl:type invariant] inv'1 _5} s5 + | s5 = -{resolve'0 _5}- s6 + | s6 = {[@expl:type invariant] inv'1 _4} s7 + | s7 = -{resolve'0 _4}- s8 + | s8 = {[@expl:type invariant] inv'1 _2} s9 + | s9 = -{resolve'0 _2}- s10 + | s10 = {[@expl:type invariant] inv'2 self} s11 + | s11 = -{resolve'1 self}- s12 + | s12 = return' {_0} ] + ] + ) + [ & _0 : borrowed t_T'0 = any_l () + | & self : borrowed (t_GhostBox'0) = self + | & _2 : borrowed t_T'0 = any_l () + | & _4 : borrowed t_T'0 = any_l () + | & _5 : borrowed t_T'0 = any_l () ] + + [ return' (result:borrowed t_T'0)-> {[@expl:deref_mut result type invariant] [%#sghost1] inv'1 result} + {[@expl:deref_mut ensures] [%#sghost2] result + = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi2175792468772189056__borrow [#"../../../creusot-contracts/src/ghost.rs" 124 4 124 40] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 124 19 124 23 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 124 28 124 40 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 123 14 123 35 + let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + type t_T'0 - use seq.Seq + type t_GhostBox'1 = + { t_GhostBox__0'0: t_T'0 } - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + use prelude.prelude.Borrow - use seq.Seq + type t_GhostBox'0 = + { t_GhostBox__0'1: t_T'0 } - constant a : t_IntoIter'0 + use prelude.prelude.Intrinsic - constant ab : Seq.seq t_T'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - constant b : t_IntoIter'0 + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'6 self - constant bc : Seq.seq t_T'0 + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - constant c : t_IntoIter'0 + axiom inv_axiom'4 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 529 14 529 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 527 4 527 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + axiom inv_axiom'3 [@rewrite] : forall x : t_GhostBox'1 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'1) = + [%#sinvariant3] inv'3 self - use prelude.prelude.Borrow + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - type t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'1 [inv'0 x] . inv'0 x = invariant'0 x - use seq.Seq + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant3] inv'6 self - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'3 x - type t_Iter'0 = - { t_Iter__inner'0: t_Item'0 } + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'5 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) - - = - [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant self : t_Iter'0 + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'1 = a_0} -> inv'2 a_0 + end - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (self : t_Iter'0) : () + meta "compute_max_steps" 1000000 - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + let rec borrow'0 (self:t_GhostBox'1) (return' (ret:t_GhostBox'0))= {[@expl:borrow 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _5 } ] s1 | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'1 = self | & _5 : t_T'0 = any_l () ] + [ return' (result:t_GhostBox'0)-> {[@expl:borrow result type invariant] [%#sghost1] inv'1 result} + {[@expl:borrow ensures] [%#sghost2] result.t_GhostBox__0'1 = self.t_GhostBox__0'0} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 534 15 534 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 535 15 535 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 536 14 536 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 532 4 532 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 +module M_creusot_contracts__ghost__qyi2175792468772189056__borrow_mut [#"../../../creusot-contracts/src/ghost.rs" 138 4 138 52] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 138 27 138 31 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 138 36 138 52 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 137 14 137 39 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + type t_GhostBox'1 = + { t_GhostBox__0'0: t_T'0 } - type t_Iter'0 = - { t_Iter__inner'0: t_Item'0 } + type t_GhostBox'0 = + { t_GhostBox__0'1: borrowed t_T'0 } - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant4] inv'0 self.current /\ inv'0 self.final - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - use seq.Seq + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'2 _1 - use seq.Seq + predicate invariant'3 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'0 self - constant a : t_Iter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - constant ab : Seq.seq t_T'0 + axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'6 x] . inv'6 x = invariant'3 x - constant b : t_Iter'0 + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - constant bc : Seq.seq t_T'0 + axiom inv_axiom'4 [@rewrite] : forall x : t_GhostBox'1 [inv'5 x] . inv'5 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'6 a_0 + end - constant c : t_Iter'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'1)) = + [%#sinvariant4] inv'5 self.current /\ inv'5 self.final - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'1)) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 585 14 585 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 583 4 583 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'1) [inv'2 x] . inv'2 x = invariant'1 x - use seq.Seq + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'1)) = + [%#sresolve3] self.final = self.current - use prelude.prelude.Borrow + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'1)) = + resolve'3 _1 - type t_T'0 + use prelude.prelude.Intrinsic - use seq.Seq + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : borrowed t_T'0) = + [%#sboxed5] inv'1 self - type t_Option'0 = - | C_None'0 - | C_Some'0 (borrowed t_T'0) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - type t_IterMut'0 = - { t_IterMut__inner'0: t_Item'0 } + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'1 = a_0} -> inv'4 a_0 + end - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + let rec borrow_mut'0 (self:borrowed (t_GhostBox'1)) (return' (ret:t_GhostBox'0))= {[@expl:borrow_mut 'self' type invariant] [%#sghost0] inv'2 self} + (! bb0 + [ bb0 = s0 + [ s0 = {inv'0 (self.current).t_GhostBox__0'0} + Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_T'0) -> + [ &_5 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] + s1) + | s1 = {inv'0 _5.current} + Borrow.borrow_final {_5.current} {Borrow.get_id _5} + (fun (_ret':borrowed t_T'0) -> + [ &_4 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_5 <- { _5 with current = _ret'.final } ] + s2) + | s2 = bb1 ] + + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _4 } ] s1 | s1 = bb2 ] + | bb2 = s0 + [ s0 = {[@expl:type invariant] inv'1 _5} s1 + | s1 = -{resolve'0 _5}- s2 + | s2 = {[@expl:type invariant] inv'2 self} s3 + | s3 = -{resolve'1 self}- s4 + | s4 = return' {_0} ] + ] + ) + [ & _0 : t_GhostBox'0 = any_l () + | & self : borrowed (t_GhostBox'1) = self + | & _4 : borrowed t_T'0 = any_l () + | & _5 : borrowed t_T'0 = any_l () ] + + [ return' (result:t_GhostBox'0)-> {[@expl:borrow_mut result type invariant] [%#sghost1] inv'3 result} + {[@expl:borrow_mut ensures] [%#sghost2] result.t_GhostBox__0'1 + = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} + (! return' {result}) ] - = - [%#soption2] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o - \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - - constant self : t_IterMut'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (self : t_IterMut'0) : () - - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 590 15 590 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 591 15 591 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 592 14 592 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 588 4 588 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 - - use prelude.prelude.Borrow +module M_creusot_contracts__ghost__qyi2175792468772189056__conjure [#"../../../creusot-contracts/src/ghost.rs" 155 4 155 28] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 154 15 154 20 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 155 24 155 28 + let%span sboxed2 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 (borrowed t_T'0) - - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } - - type t_IterMut'0 = - { t_IterMut__inner'0: t_Item'0 } + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - use seq.Seq + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed2] inv'2 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o - \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'1 a_0 + end - constant a : t_IterMut'0 + meta "compute_max_steps" 1000000 - constant ab : Seq.seq (borrowed t_T'0) + let rec conjure'0 (_1:()) (return' (ret:t_GhostBox'0))= {[@expl:conjure requires] [%#sghost0] false} + (! bb0 [ bb0 = bb1 | bb1 = bb1 [ bb1 = (! bb2) [ bb2 = bb1 ] ] ] ) + [ return' (result:t_GhostBox'0)-> {[@expl:conjure result type invariant] [%#sghost1] inv'0 result} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi2175792468772189056__new [#"../../../creusot-contracts/src/ghost.rs" 181 4 181 28] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 181 24 181 28 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 + let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - constant b : t_IterMut'0 + type t_T'0 - constant bc : Seq.seq (borrowed t_T'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - constant c : t_IterMut'0 + use prelude.prelude.Intrinsic - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__ptr__qyi17063894948818224584__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (* <*const T as std::ptr::PointerExt> *) - let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed3] inv'0 self - use prelude.prelude.Opaque + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use prelude.prelude.Int + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant self : opaque_ptr + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool + meta "compute_max_steps" 1000000 - goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) + let rec new'0 (x:t_T'0) (return' (ret:t_GhostBox'0))= {[@expl:new 'x' type invariant] [%#sghost0] inv'0 x} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = x } ] s1 | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & x : t_T'0 = x ] + [ return' (result:t_GhostBox'0)-> {[@expl:new result type invariant] [%#sghost1] inv'1 result} + {[@expl:new ensures] [%#sghost2] result.t_GhostBox__0'0 = x} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__ptr__qyi4877913266695965320__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (* <*mut T as std::ptr::PointerExt> *) - let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 96 14 96 48 - let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 98 8 98 30 +module M_creusot_contracts__ghost__qyi2175792468772189056__into_inner [#"../../../creusot-contracts/src/ghost.rs" 199 4 199 32] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 199 31 199 32 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 + let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use prelude.prelude.Opaque + type t_T'0 - use prelude.prelude.Int + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 90 4 90 30] (self : opaque_ptr) : int + use prelude.prelude.Intrinsic - constant self : opaque_ptr + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (self : opaque_ptr) : bool + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed3] inv'1 self - goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) -end -module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 411 14 411 45 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 409 4 409 10 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - use prelude.prelude.Borrow + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - type t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - use seq.Seq + meta "compute_max_steps" 1000000 - use prelude.prelude.Opaque + let rec into_inner'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:into_inner 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 [ bb0 = bb1 | bb1 = s0 [ s0 = [ &_0 <- self.t_GhostBox__0'0 ] s1 | s1 = bb2 ] | bb2 = return' {_0} ] ) + [ & _0 : t_T'0 = any_l () | & self : t_GhostBox'0 = self ] + + [ return' (result:t_T'0)-> {[@expl:into_inner result type invariant] [%#sghost1] inv'1 result} + {[@expl:into_inner ensures] [%#sghost2] result = self.t_GhostBox__0'0} + (! return' {result}) ] + +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__subtract [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 195 15 195 33 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 196 14 196 36 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 197 14 197 46 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 198 14 202 5 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 180 14 184 5 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 204 8 204 33 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 154 12 154 89 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 146 19 146 71 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 163 15 163 35 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 164 14 170 5 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 171 14 171 54 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap12 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap13 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap16 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap17 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + type t_FMap'0 - type t_Iter'0 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_K'0 - use prelude.prelude.Slice + type t_V'0 - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use seq.Seq + use map.Map - use seq.Seq + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) + - use seq.Seq + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap17] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use prelude.prelude.UIntSize + use map.Map - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap14] Map.get (view'0 self) k - use prelude.prelude.UIntSize + function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + + = + [%#sfmap15] get_unsized'0 self k <> C_None'0 - use prelude.prelude.Int + function subset'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 152 4 152 44] (self : t_FMap'0) (other : t_FMap'0) : bool + + = + [%#sfmap6] forall k : t_K'0 . contains'0 self k -> get_unsized'0 other k = get_unsized'0 self k - use prelude.prelude.Slice + function disjoint'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 145 4 145 46] (self : t_FMap'0) (other : t_FMap'0) : bool + + = + [%#sfmap7] forall k : t_K'0 . not contains'0 self k \/ not contains'0 other k - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + use prelude.prelude.Int - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice8] view'2 self = Slice.id self) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel5] view'2 self + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap16] len'0 self >= 0 - use seq.Seq + function union'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 172 4 172 43] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + - use seq.Seq + axiom union'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap8] disjoint'0 self other) + -> ([%#sfmap9] forall k : t_K'0 . get_unsized'0 (union'0 self other) k + = (if contains'0 self k then + get_unsized'0 self k + else + if contains'0 other k then get_unsized'0 other k else C_None'0 + )) + && ([%#sfmap10] len'0 (union'0 self other) = len'0 self + len'0 other) - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool = - [%#sindex6] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + [%#sfmap13] view'0 self = view'0 other - use seq.Seq + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap11] ext_eq'0 self other -> self = other) + && ([%#sfmap12] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function subtract_keys'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 185 4 185 51] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - = - [%#sslice2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant self : t_Iter'0 + axiom subtract_keys'0_spec : forall self : t_FMap'0, other : t_FMap'0 . [%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k) - function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (self : t_Iter'0) : () + constant self : t_FMap'0 - goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 416 15 416 32 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 417 15 417 32 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 418 14 418 42 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 414 4 414 10 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + constant other : t_FMap'0 - use prelude.prelude.Opaque + function subtract'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + goal vc_subtract'0 : ([%#sfmap0] subset'0 other self) + -> ([%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k)) + -> (let result = subtract_keys'0 self other in ([%#sfmap1] disjoint'0 result other) + && ([%#sfmap2] ext_eq'0 (union'0 other result) self) + && ([%#sfmap3] forall k : t_K'0 . get_unsized'0 result k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k))) +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__ext_eq [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - type t_Iter'0 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_K'0 - use prelude.prelude.Borrow + type t_FMap'0 - type t_T'0 + type t_V'0 - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use prelude.prelude.Slice + use map.Map - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) + - use seq.Seq + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use seq.Seq + use map.Map - use seq.Seq + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] Map.get (view'0 self) k - use prelude.prelude.UIntSize + constant self : t_FMap'0 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + constant other : t_FMap'0 - use prelude.prelude.UIntSize + function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool + - use prelude.prelude.Int + goal vc_ext_eq'0 : ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) + -> ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) + -> (let result = view'0 self = view'0 other in ([%#sfmap0] result -> self = other) + && ([%#sfmap1] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> result)) +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__contains_ghost [#"../../../creusot-contracts/src/logic/fmap.rs" 285 4 285 49] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 285 27 285 31 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 285 33 285 36 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 284 14 284 43 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 314 22 314 26 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 314 28 314 31 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 314 40 314 50 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 306 4 313 11 + let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 36 26 36 51 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sutil11 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil12 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 + let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 452 20 452 91 + let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use prelude.prelude.Slice + use prelude.prelude.Borrow - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + type t_FMap'0 - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice10] view'2 self = Slice.id self) + type t_K'0 - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel7] view'2 self + type t_V'0 - use seq.Seq + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - use seq.Seq + use map.Map - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - = - [%#sindex8] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap14] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use seq.Seq + use map.Map - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#sslice4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - - constant a : t_Iter'0 + [%#sfmap10] Map.get (view'0 self) k - constant ab : Seq.seq t_T'0 + function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + + = + [%#sfmap8] get_unsized'0 self k <> C_None'1 - constant b : t_Iter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - constant bc : Seq.seq t_T'0 + function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'1) : t_V'0 - constant c : t_Iter'0 + axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil11] op <> C_None'1) + -> ([%#sutil12] C_Some'1 (unwrap'0 op) = op) - function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + function lookup_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 123 4 123 50] (self : t_FMap'0) (k : t_K'0) : t_V'0 + = + [%#sfmap9] unwrap'0 (get_unsized'0 self k) - goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) - -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 465 14 465 45 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 463 4 463 10 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - let%span smodel8 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sindex9 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - - use seq.Seq - - use prelude.prelude.Borrow + predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - type t_T'0 + predicate invariant'5 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_V'0) = + [%#sboxed16] inv'7 self - use seq.Seq + predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - use prelude.prelude.Opaque + axiom inv_axiom'6 [@rewrite] : forall x : t_V'0 [inv'8 x] . inv'8 x = invariant'5 x - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + predicate invariant'4 [#"../../../creusot-contracts/src/logic/fmap.rs" 451 4 451 30] (self : t_FMap'0) = + [%#sfmap15] forall k : t_K'0 . contains'0 self k -> inv'6 k /\ inv'8 (lookup_unsized'0 self k) - type t_IterMut'0 = - { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) - use seq.Seq + axiom inv_axiom'5 [@rewrite] : forall x : t_FMap'0 [inv'5 x] . inv'5 x = invariant'4 x - use prelude.prelude.UIntSize + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_FMap'0) = + [%#sinvariant13] inv'5 self - constant v_MAX'0 : usize = (18446744073709551615 : usize) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) - use prelude.prelude.UIntSize + axiom inv_axiom'0 [@rewrite] : forall x : t_FMap'0 [inv'0 x] . inv'0 x = invariant'0 x - use prelude.prelude.Int + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_K'0) = + [%#sinvariant13] inv'6 self - use prelude.prelude.Slice + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - use prelude.prelude.Slice + axiom inv_axiom'1 [@rewrite] : forall x : t_K'0 [inv'1 x] . inv'1 x = invariant'1 x - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_V'0) = + [%#sinvariant13] inv'7 self - axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice6] Seq.length (view'1 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice7] view'1 self = Slice.id self) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) - + axiom inv_axiom'4 [@rewrite] : forall x : t_V'0 [inv'4 x] . inv'4 x = invariant'3 x - axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice3] Seq.length (view'1 (view'0 self).final) - = Seq.length (view'1 (view'0 self).current) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - use seq.Seq + axiom inv_axiom'2 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end - function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + let rec get_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:t_Option'0))= {[@expl:get_ghost 'self' type invariant] [%#sfmap3] inv'0 self} + {[@expl:get_ghost 'key' type invariant] [%#sfmap4] inv'1 key} + any + [ return' (result:t_Option'0)-> {[%#sfmap5] inv'2 result} + {[%#sfmap6] if contains'0 self key then + match result with + | C_None'0 -> false + | C_Some'0 r -> lookup_unsized'0 self key = r + end + else + result = C_None'0 + } + (! return' {result}) ] - = - [%#smodel8] view'1 self.current - use seq.Seq + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Option'0) = + [%#sinvariant13] inv'2 self - use seq.Seq + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex9] Seq.get (view'1 self) ix + axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x = invariant'2 x - function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - + let rec is_some'0 (self:t_Option'0) (return' (ret:bool))= {[@expl:is_some 'self' type invariant] inv'3 self} + any [ return' (result:bool)-> {[%#soption7] result = (self <> C_None'0)} (! return' {result}) ] - axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice4] Seq.length (to_mut_seq'0 self) - = Seq.length (view'2 self)) - && ([%#sslice5] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) - -> Seq.get (to_mut_seq'0 self) i - = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) + use prelude.prelude.Intrinsic - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + let rec contains_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:bool))= {[@expl:contains_ghost 'self' type invariant] [%#sfmap0] inv'0 self} + {[@expl:contains_ghost 'key' type invariant] [%#sfmap1] inv'1 key} + (! bb0 + [ bb0 = s0 [ s0 = get_ghost'0 {self} {key} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = is_some'0 {_5} (fun (_ret':bool) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : bool = any_l () | & self : t_FMap'0 = self | & key : t_K'0 = key | & _5 : t_Option'0 = any_l () ] + [ return' (result:bool)-> {[@expl:contains_ghost ensures] [%#sfmap2] result = contains'0 self key} + (! return' {result}) ] - = - [%#sslice2] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - - constant self : t_IterMut'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (self : t_IterMut'0) : () - - goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 470 15 470 32 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 471 15 471 32 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 472 14 472 42 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 468 4 468 10 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - let%span smodel10 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sindex11 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - - use prelude.prelude.Opaque - - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } - - type t_IterMut'0 = - { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - use prelude.prelude.UIntSize + constant y : int - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int) (y : int) : () - use prelude.prelude.UIntSize + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Slice + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Slice + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + constant y : int - axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice8] Seq.length (view'1 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice9] view'1 self = Slice.id self) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int) (y : int) : () - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) - + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice5] Seq.length (view'1 (view'0 self).final) - = Seq.length (view'1 (view'0 self).current) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#smodel10] view'1 self.current + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - use seq.Seq + constant y : int - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex11] Seq.get (view'1 self) ix + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int) (y : int) : () - function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice6] Seq.length (to_mut_seq'0 self) - = Seq.length (view'2 self)) - && ([%#sslice7] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) - -> Seq.get (to_mut_seq'0 self) i - = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#sslice4] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant a : t_IterMut'0 + constant x : int - constant ab : Seq.seq (borrowed t_T'0) + constant y : int - constant b : t_IterMut'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int) (y : int) : () - constant bc : Seq.seq (borrowed t_T'0) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - constant c : t_IterMut'0 + use prelude.prelude.Int - function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) - -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) + constant x : int + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int) : () + + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_refl [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (* as std::iter::Iterator> *) - let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 270 14 270 45 - let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 268 4 268 10 - let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 +module M_creusot_contracts__logic__ord__qyi8355372356285216375__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use seq.Seq + use prelude.prelude.Int - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Opaque + constant x : int - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + constant y : int - use prelude.prelude.UIntSize + constant z : int - type t_A'0 + constant o : t_Ordering'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_A'0 } + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int) (y : int) (z : int) (o : t_Ordering'0) : () + - type t_IntoIter'0 = - { t_IntoIter__buf'0: t_NonNull'0; - t_IntoIter__phantom'0: (); - t_IntoIter__cap'0: usize; - t_IntoIter__alloc'0: t_ManuallyDrop'0; - t_IntoIter__ptr'0: t_NonNull'0; - t_IntoIter__end'0: opaque_ptr } + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#svec2] view'0 self = Seq.(++) visited (view'0 rhs) + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant self : t_IntoIter'0 + constant x : int - function produces_refl'0 [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (self : t_IntoIter'0) : () + constant y : int - goal vc_produces_refl'0 : [%#svec0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_trans [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (* as std::iter::Iterator> *) - let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 275 15 275 32 - let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 276 15 276 32 - let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 277 14 277 42 - let%span svec3 = "../../../creusot-contracts/src/std/vec.rs" 273 4 273 10 - let%span svec4 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int) (y : int) : () - use prelude.prelude.Opaque + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + use prelude.prelude.Int - use prelude.prelude.UIntSize + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_A'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_A'0 } + constant x : int - type t_IntoIter'0 = - { t_IntoIter__buf'0: t_NonNull'0; - t_IntoIter__phantom'0: (); - t_IntoIter__cap'0: usize; - t_IntoIter__alloc'0: t_ManuallyDrop'0; - t_IntoIter__ptr'0: t_NonNull'0; - t_IntoIter__end'0: opaque_ptr } + constant y : int - type t_T'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int) (y : int) : () - use seq.Seq + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#svec4] view'0 self = Seq.(++) visited (view'0 rhs) - - constant a : t_IntoIter'0 - - constant ab : Seq.seq t_T'0 - - constant b : t_IntoIter'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant bc : Seq.seq t_T'0 + constant x : int - constant c : t_IntoIter'0 + constant y : int - function produces_trans'0 [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int) (y : int) : () - goal vc_produces_trans'0 : ([%#svec1] produces'0 b bc c) - -> ([%#svec0] produces'0 a ab b) -> ([%#svec2] produces'0 a (Seq.(++) ab bc) c) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : Real.real) (y : Real.real) : () - + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint8) (y : uint8) : () - goal vc_cmp_le_log'0 : [%#sord0] Real.(<=) x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : Real.real) (y : Real.real) : () - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint8) (y : uint8) : () - goal vc_cmp_lt_log'0 : [%#sord0] Real.(<) x y = (cmp_log'0 x y = C_Less'0) + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : Real.real) (y : Real.real) : () - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint8) (y : uint8) : () - goal vc_cmp_ge_log'0 : [%#sord0] Real.(>=) x y = (cmp_log'0 x y <> C_Less'0) + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : Real.real) (y : Real.real) : () - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint8) (y : uint8) : () - goal vc_cmp_gt_log'0 : [%#sord0] Real.(>) x y = (cmp_log'0 x y = C_Greater'0) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : Real.real) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint8) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__num_rational__qyi7156484438548626841__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span snum_rational4 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational4] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - constant z : Real.real + constant z : uint8 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : Real.real) (y : Real.real) (z : Real.real) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint8) (y : uint8) (z : uint8) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : Real.real) (y : Real.real) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint8) (y : uint8) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : Real.real) (y : Real.real) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint8) (y : uint8) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : Real.real) (y : Real.real) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint8) (y : uint8) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__ghost__qyi17645547594388049322__clone [#"../../../creusot-contracts/src/ghost.rs" 50 4 50 27] (* as std::clone::Clone> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 50 14 50 18 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 50 23 50 27 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 49 14 49 29 - let%span sclone3 = "../../../creusot-contracts/src/std/clone.rs" 7 0 20 1 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - - type t_T'0 - - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } - - use prelude.prelude.Borrow - - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'4 self - - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'2 x - - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant4] inv'3 self - - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - - let rec clone'1 (self:t_T'0) (return' (ret:t_T'0))= {[@expl:clone 'self' type invariant] inv'2 self} - any [ return' (result:t_T'0)-> {inv'3 result} {[%#sclone3] result = self} (! return' {result}) ] - - use prelude.prelude.Intrinsic - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'3 a_0 - end - - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = - [%#sinvariant4] inv'1 self - - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec clone'0 (self:t_GhostBox'0) (return' (ret:t_GhostBox'0))= {[@expl:clone 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 [ s0 = clone'1 {self.t_GhostBox__0'0} (fun (_ret':t_T'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = _3 } ] s1 | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'0 = self | & _3 : t_T'0 = any_l () ] - [ return' (result:t_GhostBox'0)-> {[@expl:clone result type invariant] [%#sghost1] inv'1 result} - {[@expl:clone ensures] [%#sghost2] result = self} - (! return' {result}) ] - -end -module M_creusot_contracts__ghost__qyi1862168959261460300__deref [#"../../../creusot-contracts/src/ghost.rs" 69 4 69 36] (* as std::ops::Deref> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 69 23 69 36 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + use prelude.prelude.UInt16 - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Borrow + constant x : uint16 - use prelude.prelude.Intrinsic + constant y : uint16 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint16) (y : uint16) : () - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'3 self + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Int - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + use prelude.prelude.UInt16 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'2 x] . inv'2 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = - [%#sinvariant3] inv'2 self + constant x : uint16 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant y : uint16 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint16) (y : uint16) : () - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant3] inv'3 self + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'1 x + use prelude.prelude.UInt16 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec deref'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:deref 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 - [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 - | s1 = [ &_4 <- _5 ] s2 - | s2 = [ &_2 <- _4 ] s3 - | s3 = [ &_0 <- _2 ] s4 - | s4 = return' {_0} ] - ] - ) - [ & _0 : t_T'0 = any_l () - | & self : t_GhostBox'0 = self - | & _2 : t_T'0 = any_l () - | & _4 : t_T'0 = any_l () - | & _5 : t_T'0 = any_l () ] - - [ return' (result:t_T'0)-> {[@expl:deref result type invariant] [%#sghost1] inv'1 result} - {[@expl:deref ensures] [%#sghost2] self.t_GhostBox__0'0 = result} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi17214052996668775070__deref_mut [#"../../../creusot-contracts/src/ghost.rs" 85 4 85 48] (* as std::ops::DerefMut> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 85 22 85 26 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 85 31 85 48 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 84 14 84 36 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Borrow + constant x : uint16 - type t_T'0 + constant y : uint16 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint16) (y : uint16) : () - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant4] inv'0 self.current /\ inv'0 self.final + use prelude.prelude.Int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + use prelude.prelude.UInt16 - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'2 _1 + constant x : uint16 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'0 self + constant y : uint16 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint16) (y : uint16) : () - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt16 - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'0)) = - [%#sinvariant4] inv'3 self.current /\ inv'3 self.final + use prelude.prelude.Int - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'0)) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'0) [inv'2 x] . inv'2 x = invariant'1 x + constant x : uint16 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'0)) = - [%#sresolve3] self.final = self.current + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint16) : () - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'0)) = - resolve'3 _1 + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.UInt16 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec deref_mut'0 (self:borrowed (t_GhostBox'0)) (return' (ret:borrowed t_T'0))= {[@expl:deref_mut 'self' type invariant] [%#sghost0] inv'2 self} - (! bb0 - [ bb0 = s0 - [ s0 = {inv'0 (self.current).t_GhostBox__0'0} - Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_T'0) -> - [ &_5 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] - s1) - | s1 = {inv'0 _5.current} - Borrow.borrow_final {_5.current} {Borrow.get_id _5} - (fun (_ret':borrowed t_T'0) -> - [ &_4 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_5 <- { _5 with current = _ret'.final } ] - s2) - | s2 = {inv'0 _4.current} - Borrow.borrow_final {_4.current} {Borrow.get_id _4} - (fun (_ret':borrowed t_T'0) -> - [ &_2 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_4 <- { _4 with current = _ret'.final } ] - s3) - | s3 = {inv'0 _2.current} - Borrow.borrow_final {_2.current} {Borrow.get_id _2} - (fun (_ret':borrowed t_T'0) -> - [ &_0 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_2 <- { _2 with current = _ret'.final } ] - s4) - | s4 = {[@expl:type invariant] inv'1 _5} s5 - | s5 = -{resolve'0 _5}- s6 - | s6 = {[@expl:type invariant] inv'1 _4} s7 - | s7 = -{resolve'0 _4}- s8 - | s8 = {[@expl:type invariant] inv'1 _2} s9 - | s9 = -{resolve'0 _2}- s10 - | s10 = {[@expl:type invariant] inv'2 self} s11 - | s11 = -{resolve'1 self}- s12 - | s12 = return' {_0} ] - ] - ) - [ & _0 : borrowed t_T'0 = any_l () - | & self : borrowed (t_GhostBox'0) = self - | & _2 : borrowed t_T'0 = any_l () - | & _4 : borrowed t_T'0 = any_l () - | & _5 : borrowed t_T'0 = any_l () ] - - [ return' (result:borrowed t_T'0)-> {[@expl:deref_mut result type invariant] [%#sghost1] inv'1 result} - {[@expl:deref_mut ensures] [%#sghost2] result - = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} - (! return' {result}) ] + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__borrow [#"../../../creusot-contracts/src/ghost.rs" 124 4 124 40] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 124 19 124 23 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 124 28 124 40 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 123 14 123 35 - let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_T'0 + constant x : uint16 - type t_GhostBox'1 = - { t_GhostBox__0'0: t_T'0 } + constant y : uint16 - use prelude.prelude.Borrow + constant z : uint16 - type t_GhostBox'0 = - { t_GhostBox__0'1: t_T'0 } + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint16) (y : uint16) (z : uint16) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.UInt16 - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'6 self + use prelude.prelude.Int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'4 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + constant x : uint16 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + constant y : uint16 - axiom inv_axiom'3 [@rewrite] : forall x : t_GhostBox'1 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint16) (y : uint16) : () - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'1) = - [%#sinvariant3] inv'3 self + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + use prelude.prelude.UInt16 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'1 [inv'0 x] . inv'0 x = invariant'0 x + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant3] inv'6 self + use prelude.prelude.Int - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'3 x + constant x : uint16 - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'5 self + constant y : uint16 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint16) (y : uint16) : () - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt16 - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'1 = a_0} -> inv'2 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec borrow'0 (self:t_GhostBox'1) (return' (ret:t_GhostBox'0))= {[@expl:borrow 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _5 } ] s1 | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'1 = self | & _5 : t_T'0 = any_l () ] - [ return' (result:t_GhostBox'0)-> {[@expl:borrow result type invariant] [%#sghost1] inv'1 result} - {[@expl:borrow ensures] [%#sghost2] result.t_GhostBox__0'1 = self.t_GhostBox__0'0} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__borrow_mut [#"../../../creusot-contracts/src/ghost.rs" 138 4 138 52] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 138 27 138 31 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 138 36 138 52 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 137 14 137 39 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Borrow + constant x : uint16 - type t_T'0 + constant y : uint16 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint16) (y : uint16) : () - type t_GhostBox'1 = - { t_GhostBox__0'0: t_T'0 } + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_GhostBox'0 = - { t_GhostBox__0'1: borrowed t_T'0 } + use prelude.prelude.Int - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant4] inv'0 self.current /\ inv'0 self.final + use prelude.prelude.UInt32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + constant x : uint32 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'2 _1 + constant y : uint32 - predicate invariant'3 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'0 self + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint32) (y : uint32) : () - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'6 x] . inv'6 x = invariant'3 x + use prelude.prelude.Int - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + use prelude.prelude.UInt32 - axiom inv_axiom'4 [@rewrite] : forall x : t_GhostBox'1 [inv'5 x] . inv'5 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'6 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'1)) = - [%#sinvariant4] inv'5 self.current /\ inv'5 self.final + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'1)) + constant x : uint32 - axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'1) [inv'2 x] . inv'2 x = invariant'1 x + constant y : uint32 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'1)) = - [%#sresolve3] self.final = self.current + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint32) (y : uint32) : () - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'1)) = - resolve'3 _1 + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.Int - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : borrowed t_T'0) = - [%#sboxed5] inv'1 self + use prelude.prelude.UInt32 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant x : uint32 - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'1 = a_0} -> inv'4 a_0 - end + constant y : uint32 - meta "compute_max_steps" 1000000 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint32) (y : uint32) : () - let rec borrow_mut'0 (self:borrowed (t_GhostBox'1)) (return' (ret:t_GhostBox'0))= {[@expl:borrow_mut 'self' type invariant] [%#sghost0] inv'2 self} - (! bb0 - [ bb0 = s0 - [ s0 = {inv'0 (self.current).t_GhostBox__0'0} - Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_T'0) -> - [ &_5 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] - s1) - | s1 = {inv'0 _5.current} - Borrow.borrow_final {_5.current} {Borrow.get_id _5} - (fun (_ret':borrowed t_T'0) -> - [ &_4 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_5 <- { _5 with current = _ret'.final } ] - s2) - | s2 = bb1 ] - - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _4 } ] s1 | s1 = bb2 ] - | bb2 = s0 - [ s0 = {[@expl:type invariant] inv'1 _5} s1 - | s1 = -{resolve'0 _5}- s2 - | s2 = {[@expl:type invariant] inv'2 self} s3 - | s3 = -{resolve'1 self}- s4 - | s4 = return' {_0} ] - ] - ) - [ & _0 : t_GhostBox'0 = any_l () - | & self : borrowed (t_GhostBox'1) = self - | & _4 : borrowed t_T'0 = any_l () - | & _5 : borrowed t_T'0 = any_l () ] - - [ return' (result:t_GhostBox'0)-> {[@expl:borrow_mut result type invariant] [%#sghost1] inv'3 result} - {[@expl:borrow_mut ensures] [%#sghost2] result.t_GhostBox__0'1 - = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} - (! return' {result}) ] - + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__ghost__qyi2175792468772189056__conjure [#"../../../creusot-contracts/src/ghost.rs" 155 4 155 28] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 154 15 154 20 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 155 24 155 28 - let%span sboxed2 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.Int + + use prelude.prelude.UInt32 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint32 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed2] inv'2 self + constant y : uint32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint32) (y : uint32) : () - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt32 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'1 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec conjure'0 (_1:()) (return' (ret:t_GhostBox'0))= {[@expl:conjure requires] [%#sghost0] false} - (! bb0 [ bb0 = bb1 | bb1 = bb1 [ bb1 = (! bb2) [ bb2 = bb1 ] ] ] ) - [ return' (result:t_GhostBox'0)-> {[@expl:conjure result type invariant] [%#sghost1] inv'0 result} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__new [#"../../../creusot-contracts/src/ghost.rs" 181 4 181 28] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 181 24 181 28 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 - let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_T'0 + constant x : uint32 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint32) : () - use prelude.prelude.Intrinsic + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.UInt32 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed3] inv'0 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant x : uint32 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + constant y : uint32 - meta "compute_max_steps" 1000000 + constant z : uint32 - let rec new'0 (x:t_T'0) (return' (ret:t_GhostBox'0))= {[@expl:new 'x' type invariant] [%#sghost0] inv'0 x} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = x } ] s1 | s1 = bb3 ] - | bb3 = bb4 - | bb4 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & x : t_T'0 = x ] - [ return' (result:t_GhostBox'0)-> {[@expl:new result type invariant] [%#sghost1] inv'1 result} - {[@expl:new ensures] [%#sghost2] result.t_GhostBox__0'0 = x} - (! return' {result}) ] + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint32) (y : uint32) (z : uint32) (o : t_Ordering'0) : () + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__ghost__qyi2175792468772189056__into_inner [#"../../../creusot-contracts/src/ghost.rs" 199 4 199 32] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 199 31 199 32 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.UInt32 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Intrinsic + use prelude.prelude.Int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed3] inv'1 self + constant x : uint32 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant y : uint32 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint32) (y : uint32) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + use prelude.prelude.UInt32 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec into_inner'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:into_inner 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 [ bb0 = bb1 | bb1 = s0 [ s0 = [ &_0 <- self.t_GhostBox__0'0 ] s1 | s1 = bb2 ] | bb2 = return' {_0} ] ) - [ & _0 : t_T'0 = any_l () | & self : t_GhostBox'0 = self ] - - [ return' (result:t_T'0)-> {[@expl:into_inner result type invariant] [%#sghost1] inv'1 result} - {[@expl:into_inner ensures] [%#sghost2] result = self.t_GhostBox__0'0} - (! return' {result}) ] - -end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__subtract [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 195 15 195 33 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 196 14 196 36 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 197 14 197 46 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 198 14 202 5 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 180 14 184 5 - let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 204 8 204 33 - let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 154 12 154 89 - let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 146 19 146 71 - let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 163 15 163 35 - let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 164 14 170 5 - let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 171 14 171 54 - let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 - let%span sfmap12 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 - let%span sfmap13 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 - let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 - let%span sfmap16 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 - let%span sfmap17 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + use prelude.prelude.Int - type t_FMap'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_K'0 + constant x : uint32 - type t_V'0 + constant y : uint32 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint32) (y : uint32) : () - use map.Map + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) - + use prelude.prelude.UInt32 - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap17] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use map.Map + use prelude.prelude.Int - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 = - [%#sfmap14] Map.get (view'0 self) k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool - - = - [%#sfmap15] get_unsized'0 self k <> C_None'0 + constant x : uint32 - function subset'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 152 4 152 44] (self : t_FMap'0) (other : t_FMap'0) : bool - - = - [%#sfmap6] forall k : t_K'0 . contains'0 self k -> get_unsized'0 other k = get_unsized'0 self k + constant y : uint32 - function disjoint'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 145 4 145 46] (self : t_FMap'0) (other : t_FMap'0) : bool + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint32) (y : uint32) : () + + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + + use prelude.prelude.Int + + use prelude.prelude.UInt64 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap7] forall k : t_K'0 . not contains'0 self k \/ not contains'0 other k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + + constant x : uint64 + + constant y : uint64 + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint64) (y : uint64) : () + + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - - axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap16] len'0 self >= 0 - - function union'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 172 4 172 43] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - + use prelude.prelude.UInt64 - axiom union'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap8] disjoint'0 self other) - -> ([%#sfmap9] forall k : t_K'0 . get_unsized'0 (union'0 self other) k - = (if contains'0 self k then - get_unsized'0 self k - else - if contains'0 other k then get_unsized'0 other k else C_None'0 - )) - && ([%#sfmap10] len'0 (union'0 self other) = len'0 self + len'0 other) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap13] view'0 self = view'0 other + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap11] ext_eq'0 self other -> self = other) - && ([%#sfmap12] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + constant x : uint64 - function subtract_keys'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 185 4 185 51] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - + constant y : uint64 - axiom subtract_keys'0_spec : forall self : t_FMap'0, other : t_FMap'0 . [%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint64) (y : uint64) : () - constant self : t_FMap'0 + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - constant other : t_FMap'0 + use prelude.prelude.Int - function subtract'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - + use prelude.prelude.UInt64 - goal vc_subtract'0 : ([%#sfmap0] subset'0 other self) - -> ([%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k)) - -> (let result = subtract_keys'0 self other in ([%#sfmap1] disjoint'0 result other) - && ([%#sfmap2] ext_eq'0 (union'0 other result) self) - && ([%#sfmap3] forall k : t_K'0 . get_unsized'0 result k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k))) -end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__ext_eq [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_K'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_FMap'0 + constant x : uint64 - type t_V'0 + constant y : uint64 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint64) (y : uint64) : () - use map.Map + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) - + use prelude.prelude.Int - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + use prelude.prelude.UInt64 - use map.Map + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap4] Map.get (view'0 self) k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant self : t_FMap'0 + constant x : uint64 - constant other : t_FMap'0 + constant y : uint64 - function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint64) (y : uint64) : () - goal vc_ext_eq'0 : ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) - -> ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) - -> (let result = view'0 self = view'0 other in ([%#sfmap0] result -> self = other) - && ([%#sfmap1] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> result)) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__contains_ghost [#"../../../creusot-contracts/src/logic/fmap.rs" 285 4 285 49] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 285 27 285 31 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 285 33 285 36 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 284 14 284 43 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 314 22 314 26 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 314 28 314 31 - let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 314 40 314 50 - let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 306 4 313 11 - let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 36 26 36 51 - let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 - let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 - let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - let%span sutil11 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 - let%span sutil12 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 - let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 452 20 452 91 - let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.UInt64 - type t_FMap'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_K'0 + use prelude.prelude.Int - type t_V'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_Option'1 = - | C_None'1 - | C_Some'1 t_V'0 + constant x : uint64 - use map.Map + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint64) : () - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap14] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + use prelude.prelude.UInt64 - use map.Map + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 - - = - [%#sfmap10] Map.get (view'0 self) k + use prelude.prelude.Int - function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap8] get_unsized'0 self k <> C_None'1 - - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'1) : t_V'0 + constant x : uint64 - axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil11] op <> C_None'1) - -> ([%#sutil12] C_Some'1 (unwrap'0 op) = op) + constant y : uint64 - function lookup_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 123 4 123 50] (self : t_FMap'0) (k : t_K'0) : t_V'0 - - = - [%#sfmap9] unwrap'0 (get_unsized'0 self k) + constant z : uint64 - predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + constant o : t_Ordering'0 - predicate invariant'5 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_V'0) = - [%#sboxed16] inv'7 self + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint64) (y : uint64) (z : uint64) (o : t_Ordering'0) : () + - predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'6 [@rewrite] : forall x : t_V'0 [inv'8 x] . inv'8 x = invariant'5 x + use prelude.prelude.UInt64 - predicate invariant'4 [#"../../../creusot-contracts/src/logic/fmap.rs" 451 4 451 30] (self : t_FMap'0) = - [%#sfmap15] forall k : t_K'0 . contains'0 self k -> inv'6 k /\ inv'8 (lookup_unsized'0 self k) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) + use prelude.prelude.Int - axiom inv_axiom'5 [@rewrite] : forall x : t_FMap'0 [inv'5 x] . inv'5 x = invariant'4 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_FMap'0) = - [%#sinvariant13] inv'5 self + constant x : uint64 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) + constant y : uint64 - axiom inv_axiom'0 [@rewrite] : forall x : t_FMap'0 [inv'0 x] . inv'0 x = invariant'0 x + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint64) (y : uint64) : () - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_K'0) = - [%#sinvariant13] inv'6 self + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) + use prelude.prelude.UInt64 - axiom inv_axiom'1 [@rewrite] : forall x : t_K'0 [inv'1 x] . inv'1 x = invariant'1 x + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + use prelude.prelude.Int - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_V'0) = - [%#sinvariant13] inv'7 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + constant x : uint64 - axiom inv_axiom'4 [@rewrite] : forall x : t_V'0 [inv'4 x] . inv'4 x = invariant'3 x + constant y : uint64 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint64) (y : uint64) : () - axiom inv_axiom'2 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - let rec get_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:t_Option'0))= {[@expl:get_ghost 'self' type invariant] [%#sfmap3] inv'0 self} - {[@expl:get_ghost 'key' type invariant] [%#sfmap4] inv'1 key} - any - [ return' (result:t_Option'0)-> {[%#sfmap5] inv'2 result} - {[%#sfmap6] if contains'0 self key then - match result with - | C_None'0 -> false - | C_Some'0 r -> lookup_unsized'0 self key = r - end - else - result = C_None'0 - } - (! return' {result}) ] - + use prelude.prelude.UInt64 - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Option'0) = - [%#sinvariant13] inv'2 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Int - axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x = invariant'2 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - let rec is_some'0 (self:t_Option'0) (return' (ret:bool))= {[@expl:is_some 'self' type invariant] inv'3 self} - any [ return' (result:bool)-> {[%#soption7] result = (self <> C_None'0)} (! return' {result}) ] + constant x : uint64 - use prelude.prelude.Intrinsic + constant y : uint64 - meta "compute_max_steps" 1000000 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint64) (y : uint64) : () - let rec contains_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:bool))= {[@expl:contains_ghost 'self' type invariant] [%#sfmap0] inv'0 self} - {[@expl:contains_ghost 'key' type invariant] [%#sfmap1] inv'1 key} - (! bb0 - [ bb0 = s0 [ s0 = get_ghost'0 {self} {key} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = is_some'0 {_5} (fun (_ret':bool) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : bool = any_l () | & self : t_FMap'0 = self | & key : t_K'0 = key | & _5 : t_Option'0 = any_l () ] - [ return' (result:bool)-> {[@expl:contains_ghost ensures] [%#sfmap2] result = contains'0 self key} - (! return' {result}) ] - + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int) (y : int) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint128) (y : uint128) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int) (y : int) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint128) (y : uint128) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int) (y : int) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint128) (y : uint128) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int) (y : int) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint128) (y : uint128) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint128) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - constant z : int + constant z : uint128 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int) (y : int) (z : int) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint128) (y : uint128) (z : uint128) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int) (y : int) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint128) (y : uint128) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int) (y : int) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint128) (y : uint128) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int) (y : int) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint128) (y : uint128) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint8) (y : uint8) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : usize) (y : usize) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint8) (y : uint8) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : usize) (y : usize) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint8) (y : uint8) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : usize) (y : usize) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint8) (y : uint8) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : usize) (y : usize) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9479,25 +12639,25 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint8) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : usize) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9506,31 +12666,31 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - constant z : uint8 + constant z : usize constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint8) (y : uint8) (z : uint8) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : usize) (y : usize) (z : usize) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9539,26 +12699,26 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint8) (y : uint8) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : usize) (y : usize) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9567,25 +12727,25 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint8) (y : uint8) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : usize) (y : usize) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -9594,133 +12754,133 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint8) (y : uint8) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : usize) (y : usize) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint16) (y : uint16) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int8) (y : int8) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint16) (y : uint16) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int8) (y : int8) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint16) (y : uint16) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int8) (y : int8) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint16) (y : uint16) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int8) (y : int8) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9729,25 +12889,25 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint16) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int8) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9756,31 +12916,31 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - constant z : uint16 + constant z : int8 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint16) (y : uint16) (z : uint16) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int8) (y : int8) (z : int8) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9789,26 +12949,26 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint16) (y : uint16) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int8) (y : int8) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9817,25 +12977,25 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint16) (y : uint16) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int8) (y : int8) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -9844,133 +13004,133 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint16) (y : uint16) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int8) (y : int8) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint32) (y : uint32) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int16) (y : int16) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint32) (y : uint32) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int16) (y : int16) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint32) (y : uint32) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int16) (y : int16) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint32) (y : uint32) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int16) (y : int16) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -9979,25 +13139,25 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint32) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int16) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -10006,31 +13166,31 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - constant z : uint32 + constant z : int16 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint32) (y : uint32) (z : uint32) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int16) (y : int16) (z : int16) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -10039,26 +13199,26 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint32) (y : uint32) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int16) (y : int16) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -10067,25 +13227,25 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint32) (y : uint32) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int16) (y : int16) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -10094,133 +13254,133 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint32) (y : uint32) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int16) (y : int16) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint64) (y : uint64) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int32) (y : int32) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint64) (y : uint64) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int32) (y : int32) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint64) (y : uint64) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int32) (y : int32) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint64) (y : uint64) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int32) (y : int32) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10229,25 +13389,25 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint64) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int32) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10256,31 +13416,31 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - constant z : uint64 + constant z : int32 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint64) (y : uint64) (z : uint64) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int32) (y : int32) (z : int32) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10289,26 +13449,26 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint64) (y : uint64) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int32) (y : int32) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10317,25 +13477,25 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint64) (y : uint64) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int32) (y : int32) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -10344,133 +13504,133 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint64) (y : uint64) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int32) (y : int32) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint128) (y : uint128) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int64) (y : int64) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint128) (y : uint128) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int64) (y : int64) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint128) (y : uint128) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int64) (y : int64) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint128) (y : uint128) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int64) (y : int64) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10479,25 +13639,25 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint128) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int64) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10506,31 +13666,31 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - constant z : uint128 + constant z : int64 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint128) (y : uint128) (z : uint128) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int64) (y : int64) (z : int64) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10539,26 +13699,26 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint128) (y : uint128) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int64) (y : int64) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10567,25 +13727,25 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint128) (y : uint128) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int64) (y : int64) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -10594,133 +13754,133 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint128) (y : uint128) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int64) (y : int64) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : usize) (y : usize) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int128) (y : int128) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : usize) (y : usize) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int128) (y : int128) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : usize) (y : usize) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int128) (y : int128) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : usize) (y : usize) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int128) (y : int128) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10729,25 +13889,25 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : usize) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int128) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10756,31 +13916,31 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - constant z : usize + constant z : int128 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : usize) (y : usize) (z : usize) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int128) (y : int128) (z : int128) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10789,26 +13949,26 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : usize) (y : usize) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int128) (y : int128) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10817,25 +13977,25 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : usize) (y : usize) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int128) (y : int128) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -10844,133 +14004,133 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : usize) (y : usize) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int128) (y : int128) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int8) (y : int8) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : isize) (y : isize) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int8) (y : int8) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : isize) (y : isize) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int8) (y : int8) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : isize) (y : isize) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int8) (y : int8) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : isize) (y : isize) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -10979,25 +14139,25 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int8) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : isize) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -11006,31 +14166,31 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - constant z : int8 + constant z : isize constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int8) (y : int8) (z : int8) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : isize) (y : isize) (z : isize) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -11039,26 +14199,26 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int8) (y : int8) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : isize) (y : isize) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -11067,25 +14227,25 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int8) (y : int8) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : isize) (y : isize) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -11094,1548 +14254,1363 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int8) (y : int8) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : isize) (y : isize) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o <> C_Greater'0 - constant y : int16 + constant x : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : bool) (y : bool) : () + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o = C_Less'0 - constant y : int16 + constant x : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : bool) (y : bool) : () + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o <> C_Less'0 - constant y : int16 + constant x : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : bool) (y : bool) : () + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o = C_Greater'0 - constant y : int16 + constant x : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : bool) (y : bool) : () + + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int16) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : bool) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord4] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - constant z : int16 + constant z : bool constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int16) (y : int16) (z : int16) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : bool) (y : bool) (z : bool) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int16) (y : int16) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : bool) (y : bool) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int16) (y : int16) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : bool) (y : bool) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int16) (y : int16) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : bool) (y : bool) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* <(A, B) as logic::ord::OrdLogic> *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 276 20 276 68 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int32 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int32) (y : int32) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - use prelude.prelude.Int32 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int32 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int32) (y : int32) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int32 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + + + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int32 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int32) (y : int32) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int32 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : int32 + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant y : int32 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int32) (y : int32) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int32 + function le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_le_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'2 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 275 4 275 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ le_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ lt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) - constant x : int32 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int32) : () + constant x : (t_A'0, t_B'0) - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 + constant y : (t_A'0, t_B'0) + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi211457485035727011__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 282 20 282 67 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int32 + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 - - constant z : int32 - - constant o : t_Ordering'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int32) (y : int32) (z : int32) (o : t_Ordering'0) : () - + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int32 + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int32 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int32) (y : int32) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int32 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int32 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int32 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int32) (y : int32) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int32 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int32) (y : int32) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use prelude.prelude.Int64 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int64 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int64) (y : int64) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant x : int64 + function lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - constant y : int64 + function cmp_lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int64) (y : int64) : () + axiom cmp_lt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'2 x y = (cmp_log'1 x y = C_Less'0) - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 281 4 281 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + + = + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ lt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ lt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : int64 + constant x : (t_A'0, t_B'0) - constant y : int64 + constant y : (t_A'0, t_B'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int64) (y : int64) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 288 20 288 68 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int64 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int64 - constant y : int64 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int64) (y : int64) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int64 + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int64 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int64) : () + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - use prelude.prelude.Int64 + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - constant x : int64 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - constant y : int64 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant z : int64 + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant o : t_Ordering'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int64) (y : int64) (z : int64) (o : t_Ordering'0) : () - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int64 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int64 - constant y : int64 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int64) (y : int64) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int64 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int64) (y : int64) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int64 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : int64 + axiom cmp_ge_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'2 x y = (cmp_log'1 x y <> C_Less'0) - constant y : int64 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int64) (y : int64) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int128 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 287 4 287 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + + = + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ ge_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ gt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + constant x : (t_A'0, t_B'0) - constant y : int128 + constant y : (t_A'0, t_B'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int128) (y : int128) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 294 20 294 67 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int128 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int128 - constant y : int128 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int128) (y : int128) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - use prelude.prelude.Int128 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int128 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int128) (y : int128) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int128 + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int128 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int128 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int128) (y : int128) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int128 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int128) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int128 + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 - - constant y : int128 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant z : int128 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - constant o : t_Ordering'0 + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int128) (y : int128) (z : int128) (o : t_Ordering'0) : () - + function gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function cmp_gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int128 + axiom cmp_gt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'2 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant x : int128 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - constant y : int128 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int128) (y : int128) : () + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int128 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 293 4 293 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + + = + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ gt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ gt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : int128 + constant x : (t_A'0, t_B'0) - constant y : int128 + constant y : (t_A'0, t_B'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int128) (y : int128) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int128 + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - constant y : int128 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int128) (y : int128) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.IntSize + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : isize + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - constant y : isize + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : isize) (y : isize) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.IntSize + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : isize - constant y : isize + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : isize) (y : isize) : () + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) + -> ([%#sord14] cmp_log'2 y x = C_Less'0) - use prelude.prelude.IntSize + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) + -> ([%#sord12] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) + -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) - constant y : isize + function refl'2 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : isize) (y : isize) : () + axiom refl'2_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.IntSize + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : isize + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant y : isize + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : isize) (y : isize) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.IntSize + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : isize + constant x : (t_A'0, t_B'0) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : isize) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : (t_A'0, t_B'0)) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi1910662420989811789__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* <(A, B) as logic::ord::OrdLogic> *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.IntSize + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - constant y : isize + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant z : isize + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - constant o : t_Ordering'0 + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : isize) (y : isize) (z : isize) (o : t_Ordering'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - use prelude.prelude.IntSize + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - constant x : isize + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - constant y : isize + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : isize) (y : isize) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use prelude.prelude.IntSize + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - constant x : isize + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - constant y : isize + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : isize) (y : isize) : () + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord17] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.IntSize + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord15] cmp_log'2 x y = C_Greater'0) + -> ([%#sord16] cmp_log'2 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Less'0) + -> ([%#sord14] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function trans'2 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + axiom trans'2_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord10] cmp_log'2 x y = o) + -> ([%#sord11] cmp_log'2 y z = o) -> ([%#sord12] cmp_log'2 x z = o) - constant y : isize + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : isize) (y : isize) : () + axiom refl'1_spec : forall x : t_B'0 . [%#sord9] cmp_log'2 x x = C_Equal'0 - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord8] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - constant x : bool + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant y : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : bool) (y : bool) : () + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + [%#sord4] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o = C_Less'0 + constant x : (t_A'0, t_B'0) - constant x : bool + constant y : (t_A'0, t_B'0) - constant y : bool + constant z : (t_A'0, t_B'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : bool) (y : bool) : () + constant o : t_Ordering'0 - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) (z : (t_A'0, t_B'0)) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o <> C_Less'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - constant x : bool + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant y : bool + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : bool) (y : bool) : () + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o = C_Greater'0 + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant x : bool + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - constant y : bool + axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : bool) (y : bool) : () + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord2] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - constant x : bool + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : bool) : () + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord4] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - constant x : bool + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - constant y : bool + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - constant z : bool + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - constant o : t_Ordering'0 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : bool) (y : bool) (z : bool) (o : t_Ordering'0) : () - + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function antisym1'2 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - constant x : bool + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : bool + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : bool) (y : bool) : () + axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - constant x : bool + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - constant y : bool + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : bool) (y : bool) : () + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : bool + constant x : (t_A'0, t_B'0) - constant y : bool + constant y : (t_A'0, t_B'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : bool) (y : bool) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 276 20 276 68 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 @@ -12660,114 +15635,107 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#".. | C_Equal'0 | C_Greater'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + function antisym2'2 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + axiom antisym2'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function cmp_le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_le_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'2 x y = (cmp_log'1 x y <> C_Greater'0) + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 275 4 275 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ le_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ lt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 @@ -12782,29 +15750,28 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#".. constant y : (t_A'0, t_B'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 282 20 282 67 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 type t_A'0 @@ -12815,119 +15782,112 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#".. | C_Equal'0 | C_Greater'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function eq_cmp'2 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom eq_cmp'2_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) + -> ([%#sord14] cmp_log'2 y x = C_Less'0) - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) + -> ([%#sord12] cmp_log'2 y x = C_Greater'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) + -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + axiom refl'1_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - function cmp_lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_lt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'2 x y = (cmp_log'1 x y = C_Less'0) + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 281 4 281 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ lt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ lt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) else r @@ -12937,1495 +15897,2174 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#".. constant y : (t_A'0, t_B'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 288 20 288 68 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__logic__seq__qyi345269549310492227__concat_contains [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (* logic::seq::Seq *) + let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq1 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_A'0 + type t_T'0 - type t_B'0 + use seq.Seq - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq2] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + constant _1 : () + + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () + + goal vc_concat_contains'0 : [%#sseq0] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x +end +module M_creusot_contracts__ptr_own__qyi17842610664047605351__new [#"../../../creusot-contracts/src/ptr_own.rs" 52 4 52 56] (* ptr_own::PtrOwn *) + let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 52 15 52 16 + let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 52 24 52 56 + let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 51 14 51 64 + let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 61 20 61 23 + let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 61 36 61 68 + let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 60 14 60 67 + let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 + let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + let%span sptr_own8 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 + let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + + type t_T'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed7] inv'0 self + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + + use prelude.prelude.Opaque + + type t_PtrOwn'0 + + type t_GhostBox'0 = + { t_GhostBox__0'0: t_PtrOwn'0 } + + use prelude.prelude.Borrow + + function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + + use prelude.prelude.Int + + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = + [%#sptr10] addr_logic'0 self = 0 + + axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr9] is_null_logic'0 self = (addr_logic'0 self = 0) + + function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + + predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = + [%#sptr_own8] not is_null_logic'0 (ptr'0 self) /\ inv'2 (val'0 self) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + + axiom inv_axiom'4 [@rewrite] : forall x : t_PtrOwn'0 [inv'5 x] . inv'5 x = invariant'2 x + + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = + [%#sboxed7] inv'5 self + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'1 x + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (opaque_ptr, t_GhostBox'0)) + + axiom inv_axiom'0 [@rewrite] : forall x : (opaque_ptr, t_GhostBox'0) [inv'1 x] . inv'1 x + = (let (x0, x1) = x in inv'3 x1) + + function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = + [%#sghost6] self.t_GhostBox__0'0 + + let rec from_box'0 (val':t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:from_box 'val' type invariant] [%#sptr_own3] inv'2 val'} + any + [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[%#sptr_own4] inv'1 result} + {[%#sptr_own5] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) + /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = val'} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + meta "compute_max_steps" 1000000 + + let rec new'0 (v:t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:new 'v' type invariant] [%#sptr_own0] inv'0 v} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = s0 [ s0 = from_box'0 {v} (fun (_ret':(opaque_ptr, t_GhostBox'0)) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : (opaque_ptr, t_GhostBox'0) = any_l () | & v : t_T'0 = v ] + [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[@expl:new result type invariant] [%#sptr_own1] inv'1 result} + {[@expl:new ensures] [%#sptr_own2] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) + /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = v} + (! return' {result}) ] +end +module M_creusot_contracts__ptr_own__qyi17842610664047605351__drop [#"../../../creusot-contracts/src/ptr_own.rs" 98 4 98 57] (* ptr_own::PtrOwn *) + let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 98 32 98 35 + let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 97 15 97 31 + let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 92 34 92 37 + let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 89 15 89 31 + let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 92 63 92 69 + let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 90 14 90 35 + let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 + let%span sresolve7 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 + let%span sboxed8 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + let%span sptr_own9 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 + let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr11 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_PtrOwn'0 - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_PtrOwn'0 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + use prelude.prelude.Opaque - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + use prelude.prelude.Int - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = + [%#sptr11] addr_logic'0 self = 0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr10] is_null_logic'0 self = (addr_logic'0 self = 0) - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + type t_T'0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed8] inv'3 self - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + axiom inv_axiom'0 [@rewrite] : forall x : t_T'0 [inv'0 x] . inv'0 x = invariant'0 x - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = + [%#sptr_own9] not is_null_logic'0 (ptr'0 self) /\ inv'0 (val'0 self) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'2 x - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = + [%#sboxed8] inv'4 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom inv_axiom'2 [@rewrite] : forall x : t_PtrOwn'0 [inv'2 x] . inv'2 x = invariant'1 x - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = + [%#sghost6] self.t_GhostBox__0'0 - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + let rec to_box'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:to_box 'own' type invariant] [%#sptr_own2] inv'1 own} + {[@expl:to_box requires] [%#sptr_own3] ptr = ptr'0 (inner_logic'0 own)} + any + [ return' (result:t_T'0)-> {[%#sptr_own4] inv'0 result} + {[%#sptr_own5] result = val'0 (inner_logic'0 own)} + (! return' {result}) ] + - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = + [%#sresolve7] resolve'2 self - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) = + resolve'1 _1 - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Intrinsic - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + meta "compute_max_steps" 1000000 + + let rec drop'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:()))= {[@expl:drop 'own' type invariant] [%#sptr_own0] inv'1 own} + {[@expl:drop requires] [%#sptr_own1] ptr = ptr'0 (inner_logic'0 own)} + (! bb0 + [ bb0 = s0 [ s0 = to_box'0 {ptr} {own} (fun (_ret':t_T'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = {[@expl:type invariant] inv'0 _4} s1 | s1 = -{resolve'0 _4}- s2 | s2 = bb2 ] + | bb2 = bb3 + | bb3 = return' {_0} ] + ) [ & _0 : () = any_l () | & ptr : opaque_ptr = ptr | & own : t_GhostBox'0 = own | & _4 : t_T'0 = any_l () ] + [ return' (result:())-> (! return' {result}) ] +end +module M_creusot_contracts__resolve__qyi4855891653524509355__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (* <(T1, T2) as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 45 15 45 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 46 14 46 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 43 4 43 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 40 8 40 44 - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Borrow - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_T1'0 - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_T2'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T2'0) - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T1'0) - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : (t_T1'0, t_T2'0)) = + match _1 with + | (x0, x1) -> resolve'1 x1 /\ resolve'2 x0 + end - function ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 39 4 39 28] (self : (t_T1'0, t_T2'0)) = + [%#sresolve3] resolve'2 (let (a, _) = self in a) /\ resolve'1 (let (_, a) = self in a) - function cmp_ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + constant self : (t_T1'0, t_T2'0) - axiom cmp_ge_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'2 x y = (cmp_log'1 x y <> C_Less'0) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (self : (t_T1'0, t_T2'0)) : () - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi6740873903368268328__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (* <&mut T as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 59 15 59 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 60 14 60 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 57 4 57 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Borrow - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + type t_T'0 - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : borrowed t_T'0) = + _1.final = _1.current - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + constant self : borrowed t_T'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 287 4 287 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ ge_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ gt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (self : borrowed t_T'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi10830812895881240411__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (* as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 73 15 73 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 74 14 74 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 71 4 71 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 - constant x : (t_A'0, t_B'0) + use prelude.prelude.Borrow - constant y : (t_A'0, t_B'0) + type t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 294 20 294 67 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_T'0) = + resolve'1 _1 - type t_A'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = + [%#sresolve3] resolve'1 self - type t_B'0 + constant self : t_T'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (self : t_T'0) : () - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi12875730110607858017__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (* as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 90 15 90 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 91 14 91 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 88 4 88 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_T'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_Option'0) = + match _1 with + | C_None'0 -> true + | C_Some'0 x0 -> resolve'1 x0 + end - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = + [%#sresolve3] match self with + | C_Some'0 x -> resolve'1 x + | C_None'0 -> true + end - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + constant self : t_Option'0 - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (self : t_Option'0) : () - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__snapshot__qyi5567339964777190687__clone [#"../../../creusot-contracts/src/snapshot.rs" 59 4 59 27] (* as std::clone::Clone> *) + let%span ssnapshot0 = "../../../creusot-contracts/src/snapshot.rs" 58 14 58 29 - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + type t_T'0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.Snapshot - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Intrinsic - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use prelude.prelude.Borrow - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + meta "compute_max_steps" 1000000 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + let rec clone'0 (self:Snapshot.snap_ty t_T'0) (return' (ret:Snapshot.snap_ty t_T'0))= (! bb0 + [ bb0 = s0 [ s0 = [ &_0 <- self ] s1 | s1 = return' {_0} ] ] + ) [ & _0 : Snapshot.snap_ty t_T'0 = any_l () | & self : Snapshot.snap_ty t_T'0 = self ] + [ return' (result:Snapshot.snap_ty t_T'0)-> {[@expl:clone ensures] [%#ssnapshot0] result = self} + (! return' {result}) ] + +end +module M_creusot_contracts__util__unwrap [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] + let%span sutil0 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil1 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 + let%span sutil2 = "../../../creusot-contracts/src/util.rs" 45 11 45 16 + let%span sutil3 = "../../../creusot-contracts/src/util.rs" 46 10 46 15 + let%span sutil4 = "../../../creusot-contracts/src/util.rs" 47 10 47 11 + let%span sutil5 = "../../../creusot-contracts/src/util.rs" 58 4 61 5 - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + type t_T'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function unreachable'0 [#"../../../creusot-contracts/src/util.rs" 48 0 48 28] (_1 : ()) : t_T'0 - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + axiom unreachable'0_spec : forall _1 : () . ([%#sutil2] false) -> ([%#sutil3] false) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + constant op : t_Option'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'0) : t_T'0 - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + goal vc_unwrap'0 : ([%#sutil0] op <> C_None'0) + -> match op with + | C_Some'0 t -> [%#sutil1] C_Some'0 t = op + | C_None'0 -> ([@expl:unreachable requires] [%#sutil2] false) + /\ (([%#sutil3] false) -> ([%#sutil1] C_Some'0 (unreachable'0 ()) = op)) + end +end +module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_refl__refines [#"../../../creusot-contracts/src/std/array.rs" 73 4 73 26] (* as std::iter::Iterator> *) + let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 73 4 73 26 + let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.Slice - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_T'0 } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_MaybeUninit'0 = + { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_IndexRange'0 = + { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_IntoIter'0 = + { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use seq.Seq - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) - function cmp_gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + goal refines : [%#sarray0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_trans__refines [#"../../../creusot-contracts/src/std/array.rs" 80 4 80 90] (* as std::iter::Iterator> *) + let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 80 4 80 90 + let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 - axiom cmp_gt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'2 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Slice - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + type t_T'0 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_T'0 } - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + type t_MaybeUninit'0 = + { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.UIntSize - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_IndexRange'0 = + { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + type t_IntoIter'0 = + { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 293 4 293 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ gt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ gt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) + [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + goal refines : [%#sarray0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 78 4 78 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 78 4 78 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - constant x : (t_A'0, t_B'0) + use prelude.prelude.UInt16 - constant y : (t_A'0, t_B'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Opaque - type t_A'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_B'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Borrow - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_K'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_V'0 - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use seq.Seq - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_FMap'0 - axiom refl'1_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_Iter'0) : t_FMap'0 + - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Int - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use map.Map - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + = + [%#sfmap6] Map.get (view'1 self) k - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) - -> ([%#sord14] cmp_log'2 y x = C_Less'0) + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) - -> ([%#sord12] cmp_log'2 y x = C_Greater'0) + goal refines : [%#shash_map0] forall self : t_Iter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 85 4 85 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 85 4 85 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + use prelude.prelude.UInt16 - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) - -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function refl'2 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom refl'2_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 + use prelude.prelude.Opaque - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.UIntSize - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + type t_K'0 - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_V'0 - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + type t_FMap'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_Iter'0) : t_FMap'0 - constant x : (t_A'0, t_B'0) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : (t_A'0, t_B'0)) : () + use prelude.prelude.Int - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - type t_A'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - type t_B'0 + use seq.Seq - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + use map.Map - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + use map.Map - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + = + [%#sfmap6] Map.get (view'1 self) k - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - axiom refl'0_spec : forall x : t_A'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + goal refines : [%#shash_map0] forall a : t_Iter'0 . forall ab : Seq.seq (t_K'0, t_V'0) . forall b : t_Iter'0 . forall bc : Seq.seq (t_K'0, t_V'0) . forall c : t_Iter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 136 4 136 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 136 4 136 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.UInt16 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Opaque - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UIntSize - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord17] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_K'0 - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord15] cmp_log'2 x y = C_Greater'0) - -> ([%#sord16] cmp_log'2 y x = C_Less'0) + type t_V'0 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Less'0) - -> ([%#sord14] cmp_log'2 y x = C_Greater'0) + type t_FMap'0 - function trans'2 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 96 4 96 33] (self : t_IntoIter'0) : t_FMap'0 - axiom trans'2_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord10] cmp_log'2 x y = o) - -> ([%#sord11] cmp_log'2 y z = o) -> ([%#sord12] cmp_log'2 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - - axiom refl'1_spec : forall x : t_B'0 . [%#sord9] cmp_log'2 x x = C_Equal'0 - - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.Int - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord8] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use map.Map - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#sord4] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - - - constant x : (t_A'0, t_B'0) + [%#sfmap6] Map.get (view'1 self) k - constant y : (t_A'0, t_B'0) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - constant z : (t_A'0, t_B'0) + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - constant o : t_Ordering'0 + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) (z : (t_A'0, t_B'0)) (o : t_Ordering'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 104 4 104 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) + use seq.Seq + + goal refines : [%#shash_map0] forall a : t_IntoIter'0 . forall ab : Seq.seq (t_K'0, t_V'0) . forall b : t_IntoIter'0 . forall bc : Seq.seq (t_K'0, t_V'0) . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 129 4 129 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 129 4 129 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_A'0 + use prelude.prelude.UInt16 - type t_B'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_K'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + type t_V'0 + + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + type t_FMap'0 - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 96 4 96 33] (self : t_IntoIter'0) : t_FMap'0 + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Int - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + use map.Map - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + + = + [%#sfmap6] Map.get (view'1 self) k - function antisym1'2 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - axiom antisym1'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 104 4 104 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + goal refines : [%#shash_map0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 187 4 187 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 187 4 187 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + use prelude.prelude.UInt16 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use prelude.prelude.Opaque - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.UIntSize - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + type t_K'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + type t_V'0 - constant x : (t_A'0, t_B'0) + use seq.Seq - constant y : (t_A'0, t_B'0) + type t_FMap'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 147 4 147 33] (self : t_IterMut'0) : t_FMap'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Int - type t_A'0 + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - type t_B'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + use map.Map - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use map.Map - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 + = + [%#sfmap6] Map.get (view'1 self) k - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - - axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, borrowed t_V'0) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 155 4 155 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'1 visited i1 + = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + goal refines : [%#shash_map0] forall a : t_IterMut'0 . forall ab : Seq.seq (t_K'0, borrowed t_V'0) . forall b : t_IterMut'0 . forall bc : Seq.seq (t_K'0, borrowed t_V'0) . forall c : t_IterMut'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.UInt16 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use prelude.prelude.Opaque - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - function antisym2'2 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - axiom antisym2'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + use seq.Seq - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + type t_K'0 - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + type t_V'0 - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + use seq.Seq - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + type t_FMap'0 - axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 147 4 147 33] (self : t_IterMut'0) : t_FMap'0 + - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.Int - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use map.Map - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r + [%#sfmap6] Map.get (view'1 self) k + + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end - constant x : (t_A'0, t_B'0) + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, borrowed t_V'0) - constant y : (t_A'0, t_B'0) + function get'1 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'2 + + = + [%#sseq5] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 155 4 155 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) k = C_Some'0 v /\ get'0 (view'0 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'1 visited i1 + = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) + goal refines : [%#shash_map0] forall self : t_IterMut'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 75 4 75 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 75 4 75 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_A'0 + use prelude.prelude.UInt16 - type t_B'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom refl'0_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Borrow - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use set.Fset - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_Iter'0) : Fset.fset t_T'0 + - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use set.Fset - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Int - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use set.Fset - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset2] Fset.mem e self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 54 4 54 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - function eq_cmp'2 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + goal refines : [%#shash_set0] forall self : t_Iter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 82 4 82 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 82 4 82 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom eq_cmp'2_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) + use prelude.prelude.UInt16 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) - -> ([%#sord14] cmp_log'2 y x = C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Opaque - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) - -> ([%#sord12] cmp_log'2 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) - -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + use prelude.prelude.UIntSize - axiom refl'1_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + type t_T'0 - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + use set.Fset - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_Iter'0) : Fset.fset t_T'0 + - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + use set.Fset - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) = - [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + [%#sfset2] Fset.mem e self - constant x : (t_A'0, t_B'0) + use seq.Seq - constant y : (t_A'0, t_B'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 54 4 54 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__ptr_own__qyi17842610664047605351__new [#"../../../creusot-contracts/src/ptr_own.rs" 52 4 52 56] (* ptr_own::PtrOwn *) - let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 52 15 52 16 - let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 52 24 52 56 - let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 51 14 51 64 - let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 61 20 61 23 - let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 61 36 61 68 - let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 60 14 60 67 - let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 - let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sptr_own8 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 - let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - - type t_T'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal refines : [%#shash_set0] forall a : t_Iter'0 . forall ab : Seq.seq t_T'0 . forall b : t_Iter'0 . forall bc : Seq.seq t_T'0 . forall c : t_Iter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 131 4 131 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 131 4 131 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed7] inv'0 self + use prelude.prelude.UInt16 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } use prelude.prelude.Opaque - type t_PtrOwn'0 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - type t_GhostBox'0 = - { t_GhostBox__0'0: t_PtrOwn'0 } + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - use prelude.prelude.Borrow + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + use prelude.prelude.UIntSize - use prelude.prelude.Int + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = - [%#sptr10] addr_logic'0 self = 0 + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr9] is_null_logic'0 self = (addr_logic'0 self = 0) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = - [%#sptr_own8] not is_null_logic'0 (ptr'0 self) /\ inv'2 (val'0 self) + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - axiom inv_axiom'4 [@rewrite] : forall x : t_PtrOwn'0 [inv'5 x] . inv'5 x = invariant'2 x + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = - [%#sboxed7] inv'5 self + type t_T'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + use seq.Seq - axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'1 x + use set.Fset - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 95 4 95 33] (self : t_IntoIter'0) : Fset.fset t_T'0 + - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + use set.Fset - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (opaque_ptr, t_GhostBox'0)) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : (opaque_ptr, t_GhostBox'0) [inv'1 x] . inv'1 x - = (let (x0, x1) = x in inv'3 x1) + use prelude.prelude.Int - function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = - [%#sghost6] self.t_GhostBox__0'0 + use set.Fset - let rec from_box'0 (val':t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:from_box 'val' type invariant] [%#sptr_own3] inv'2 val'} - any - [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[%#sptr_own4] inv'1 result} - {[%#sptr_own5] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) - /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = val'} - (! return' {result}) ] + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + = + [%#sfset2] Fset.mem e self - use prelude.prelude.Intrinsic + use seq.Seq - meta "compute_max_steps" 1000000 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - let rec new'0 (v:t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:new 'v' type invariant] [%#sptr_own0] inv'0 v} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = s0 [ s0 = from_box'0 {v} (fun (_ret':(opaque_ptr, t_GhostBox'0)) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] - | bb3 = bb4 - | bb4 = return' {_0} ] - ) [ & _0 : (opaque_ptr, t_GhostBox'0) = any_l () | & v : t_T'0 = v ] - [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[@expl:new result type invariant] [%#sptr_own1] inv'1 result} - {[@expl:new ensures] [%#sptr_own2] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) - /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = v} - (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 103 4 103 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) -end -module M_creusot_contracts__ptr_own__qyi17842610664047605351__drop [#"../../../creusot-contracts/src/ptr_own.rs" 98 4 98 57] (* ptr_own::PtrOwn *) - let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 98 32 98 35 - let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 97 15 97 31 - let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 92 34 92 37 - let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 89 15 89 31 - let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 92 63 92 69 - let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 90 14 90 35 - let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 - let%span sresolve7 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 - let%span sboxed8 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sptr_own9 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 - let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr11 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - - type t_PtrOwn'0 - - type t_GhostBox'0 = - { t_GhostBox__0'0: t_PtrOwn'0 } + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - use prelude.prelude.Borrow + use seq.Seq - use prelude.prelude.Opaque + goal refines : [%#shash_set0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 124 4 124 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 124 4 124 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + use prelude.prelude.UInt16 - use prelude.prelude.Int + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = - [%#sptr11] addr_logic'0 self = 0 + use prelude.prelude.Opaque - axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr10] is_null_logic'0 self = (addr_logic'0 self = 0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - type t_T'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.UIntSize - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed8] inv'3 self + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom inv_axiom'0 [@rewrite] : forall x : t_T'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = - [%#sptr_own9] not is_null_logic'0 (ptr'0 self) /\ inv'0 (val'0 self) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'2 x + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = - [%#sboxed8] inv'4 self + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom inv_axiom'2 [@rewrite] : forall x : t_PtrOwn'0 [inv'2 x] . inv'2 x = invariant'1 x + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + type t_T'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + use seq.Seq - function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = - [%#sghost6] self.t_GhostBox__0'0 + use set.Fset - let rec to_box'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:to_box 'own' type invariant] [%#sptr_own2] inv'1 own} - {[@expl:to_box requires] [%#sptr_own3] ptr = ptr'0 (inner_logic'0 own)} - any - [ return' (result:t_T'0)-> {[%#sptr_own4] inv'0 result} - {[%#sptr_own5] result = val'0 (inner_logic'0 own)} - (! return' {result}) ] + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 95 4 95 33] (self : t_IntoIter'0) : Fset.fset t_T'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = - [%#sresolve7] resolve'2 self + use set.Fset - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) = - resolve'1 _1 + use seq.Seq - use prelude.prelude.Intrinsic + use prelude.prelude.Int - meta "compute_max_steps" 1000000 + use set.Fset - let rec drop'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:()))= {[@expl:drop 'own' type invariant] [%#sptr_own0] inv'1 own} - {[@expl:drop requires] [%#sptr_own1] ptr = ptr'0 (inner_logic'0 own)} - (! bb0 - [ bb0 = s0 [ s0 = to_box'0 {ptr} {own} (fun (_ret':t_T'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = {[@expl:type invariant] inv'0 _4} s1 | s1 = -{resolve'0 _4}- s2 | s2 = bb2 ] - | bb2 = bb3 - | bb3 = return' {_0} ] - ) [ & _0 : () = any_l () | & ptr : opaque_ptr = ptr | & own : t_GhostBox'0 = own | & _4 : t_T'0 = any_l () ] - [ return' (result:())-> (! return' {result}) ] + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) -end -module M_creusot_contracts__resolve__qyi4855891653524509355__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (* <(T1, T2) as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 45 15 45 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 46 14 46 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 43 4 43 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 40 8 40 44 + = + [%#sfset2] Fset.mem e self - use prelude.prelude.Borrow + use seq.Seq - type t_T1'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - type t_T2'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 103 4 103 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T2'0) + goal refines : [%#shash_set0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 209 4 209 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 209 4 209 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T1'0) + use prelude.prelude.UInt16 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : (t_T1'0, t_T2'0)) = - match _1 with - | (x0, x1) -> resolve'1 x1 /\ resolve'2 x0 - end + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 39 4 39 28] (self : (t_T1'0, t_T2'0)) = - [%#sresolve3] resolve'2 (let (a, _) = self in a) /\ resolve'1 (let (_, a) = self in a) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - constant self : (t_T1'0, t_T2'0) + use prelude.prelude.Opaque - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (self : (t_T1'0, t_T2'0)) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi6740873903368268328__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (* <&mut T as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 59 15 59 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 60 14 60 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 57 4 57 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - use prelude.prelude.Borrow + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - type t_T'0 + use prelude.prelude.UIntSize - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : borrowed t_T'0) = - _1.final = _1.current + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - constant self : borrowed t_T'0 + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (self : borrowed t_T'0) : () + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi10830812895881240411__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (* as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 73 15 73 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 74 14 74 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 71 4 71 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } use prelude.prelude.Borrow - type t_T'0 - - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + type t_S'0 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_T'0) = - resolve'1 _1 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = - [%#sresolve3] resolve'1 self + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - constant self : t_T'0 + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (self : t_T'0) : () + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi12875730110607858017__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (* as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 90 15 90 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 91 14 91 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 88 4 88 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - use prelude.prelude.Borrow + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - type t_T'0 + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + type t_T'0 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_Option'0) = - match _1 with - | C_None'0 -> true - | C_Some'0 x0 -> resolve'1 x0 - end + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = - [%#sresolve3] match self with - | C_Some'0 x -> resolve'1 x - | C_None'0 -> true - end + use set.Fset - constant self : t_Option'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 180 4 180 33] (self : t_Intersection'0) : Fset.fset t_T'0 + - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (self : t_Option'0) : () + use set.Fset - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__snapshot__qyi5567339964777190687__clone [#"../../../creusot-contracts/src/snapshot.rs" 59 4 59 27] (* as std::clone::Clone> *) - let%span ssnapshot0 = "../../../creusot-contracts/src/snapshot.rs" 58 14 58 29 + use seq.Seq - type t_T'0 + use prelude.prelude.Int - use prelude.prelude.Snapshot + use set.Fset - use prelude.prelude.Intrinsic + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset2] Fset.mem e self - use prelude.prelude.Borrow + use seq.Seq - meta "compute_max_steps" 1000000 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - let rec clone'0 (self:Snapshot.snap_ty t_T'0) (return' (ret:Snapshot.snap_ty t_T'0))= (! bb0 - [ bb0 = s0 [ s0 = [ &_0 <- self ] s1 | s1 = return' {_0} ] ] - ) [ & _0 : Snapshot.snap_ty t_T'0 = any_l () | & self : Snapshot.snap_ty t_T'0 = self ] - [ return' (result:Snapshot.snap_ty t_T'0)-> {[@expl:clone ensures] [%#ssnapshot0] result = self} - (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 188 4 188 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) + = + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) + + goal refines : [%#shash_set0] forall self : t_Intersection'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__util__unwrap [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] - let%span sutil0 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 - let%span sutil1 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 - let%span sutil2 = "../../../creusot-contracts/src/util.rs" 45 11 45 16 - let%span sutil3 = "../../../creusot-contracts/src/util.rs" 46 10 46 15 - let%span sutil4 = "../../../creusot-contracts/src/util.rs" 47 10 47 11 - let%span sutil5 = "../../../creusot-contracts/src/util.rs" 58 4 61 5 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_T'0 + use prelude.prelude.UInt16 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function unreachable'0 [#"../../../creusot-contracts/src/util.rs" 48 0 48 28] (_1 : ()) : t_T'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom unreachable'0_spec : forall _1 : () . ([%#sutil2] false) -> ([%#sutil3] false) + use prelude.prelude.Opaque - constant op : t_Option'0 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'0) : t_T'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - goal vc_unwrap'0 : ([%#sutil0] op <> C_None'0) - -> match op with - | C_Some'0 t -> [%#sutil1] C_Some'0 t = op - | C_None'0 -> ([@expl:unreachable requires] [%#sutil2] false) - /\ (([%#sutil3] false) -> ([%#sutil1] C_Some'0 (unreachable'0 ()) = op)) - end -end -module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_refl__refines [#"../../../creusot-contracts/src/std/array.rs" 73 4 73 26] (* as std::iter::Iterator> *) - let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 73 4 73 26 - let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - use prelude.prelude.Slice + use prelude.prelude.UIntSize - type t_T'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_T'0 } + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - type t_MaybeUninit'0 = - { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - use prelude.prelude.UIntSize + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - type t_IndexRange'0 = - { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - type t_IntoIter'0 = - { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } + use prelude.prelude.Borrow - use seq.Seq + type t_S'0 - use seq.Seq + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - use seq.Seq + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - goal refines : [%#sarray0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self - -> produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_trans__refines [#"../../../creusot-contracts/src/std/array.rs" 80 4 80 90] (* as std::iter::Iterator> *) - let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 80 4 80 90 - let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - use prelude.prelude.Slice + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - type t_T'0 + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_T'0 } + type t_T'0 - type t_MaybeUninit'0 = - { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } + use seq.Seq - use prelude.prelude.UIntSize + use set.Fset - type t_IndexRange'0 = - { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 180 4 180 33] (self : t_Intersection'0) : Fset.fset t_T'0 + - type t_IntoIter'0 = - { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } + use set.Fset use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_T'0) (e : t_T'0) + + = + [%#sfset2] Fset.mem e self use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 188 4 188 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = - [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) + [%#shash_set1] Fset.cardinal (view'0 self) = Seq.length visited + Fset.cardinal (view'0 o) + /\ (forall x : t_T'0 . contains'0 (view'0 self) x -> contains'1 visited x \/ contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'0 self) x /\ not contains'0 (view'0 o) x) + /\ (forall x : t_T'0 . contains'0 (view'0 o) x -> contains'0 (view'0 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) - goal refines : [%#sarray0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + use seq.Seq + + goal refines : [%#shash_set0] forall a : t_Intersection'0 . forall ab : Seq.seq t_T'0 . forall b : t_Intersection'0 . forall bc : Seq.seq t_T'0 . forall c : t_Intersection'0 . produces'0 b bc c /\ produces'0 a ab b -> produces'0 b bc c /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) @@ -24067,7 +27706,7 @@ module M_creusot_contracts__stdqy35z1__vec__qyi6844585276173866460__resolve_cohe let%span sindex3 = "../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span svec5 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -24131,7 +27770,7 @@ module M_creusot_contracts__stdqy35z1__vec__qyi6844585276173866460__resolve_cohe axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'3 x - predicate invariant'2 [#"../../../creusot-contracts/src/logic/seq.rs" 622 4 622 30] (self : Seq.seq t_T'0) = + predicate invariant'2 [#"../../../creusot-contracts/src/logic/seq.rs" 632 4 632 30] (self : Seq.seq t_T'0) = [%#sseq6] forall i : int . 0 <= i /\ i < Seq.length self -> inv'3 (Seq.get self i) predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Seq.seq t_T'0) @@ -25111,10 +28750,10 @@ module M_creusot_contracts__logic__fmap__qyi4648834920430559677__clone__refines goal refines : [%#sfmap0] forall self : t_FMap'0 . inv'0 self -> inv'0 self /\ (forall result : t_FMap'0 . result = self /\ inv'1 result -> result = self /\ inv'1 result) end -module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines [#"../../../creusot-contracts/src/logic/fset.rs" 312 4 312 27] (* as std::clone::Clone> *) - let%span sfset0 = "../../../creusot-contracts/src/logic/fset.rs" 312 4 312 27 +module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines [#"../../../creusot-contracts/src/logic/fset.rs" 323 4 323 27] (* as std::clone::Clone> *) + let%span sfset0 = "../../../creusot-contracts/src/logic/fset.rs" 323 4 323 27 let%span sinvariant1 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 326 20 326 63 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 337 20 337 63 let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 use prelude.prelude.Borrow @@ -25132,7 +28771,7 @@ module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - predicate invariant'1 [#"../../../creusot-contracts/src/logic/fset.rs" 325 4 325 30] (self : Fset.fset t_T'0) = + predicate invariant'1 [#"../../../creusot-contracts/src/logic/fset.rs" 336 4 336 30] (self : Fset.fset t_T'0) = [%#sfset2] forall x : t_T'0 . contains'0 self x -> inv'2 x predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Fset.fset t_T'0) @@ -25167,10 +28806,10 @@ module M_creusot_contracts__logic__int__qyi3540547019284611154__clone__refines [ goal refines : [%#sint0] forall self : int . inv'0 self -> (forall result : int . result = self -> result = self /\ inv'1 result) end -module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [#"../../../creusot-contracts/src/logic/seq.rs" 610 4 610 27] (* as std::clone::Clone> *) - let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 610 4 610 27 +module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [#"../../../creusot-contracts/src/logic/seq.rs" 620 4 620 27] (* as std::clone::Clone> *) + let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 620 4 620 27 let%span sinvariant1 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -25194,7 +28833,7 @@ module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [ axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'2 x - predicate invariant'1 [#"../../../creusot-contracts/src/logic/seq.rs" 622 4 622 30] (self : Seq.seq t_T'0) = + predicate invariant'1 [#"../../../creusot-contracts/src/logic/seq.rs" 632 4 632 30] (self : Seq.seq t_T'0) = [%#sseq2] forall i : int . 0 <= i /\ i < Seq.length self -> inv'2 (Seq.get self i) predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Seq.seq t_T'0) diff --git a/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml b/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml index e070cf0243..31c6ecd606 100644 --- a/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml +++ b/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml @@ -36,6 +36,364 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2843,26 +3201,6 @@ - - - - - - - - - - - - - - - - - - - - @@ -2883,16 +3221,6 @@ - - - - - - - - - - diff --git a/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz b/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz index 5ca92942f814d334cea05c482fc7f82fdd7f5216..3ac0f6172d9b46fa1a24cd2318a744b7a894c180 100644 GIT binary patch literal 27421 zcmV)WK(4Fw=J`}MXFx(TnsFAwEE z{=mZL@~(#OzwgS;AI_PcWC4L?@#A zgnaXRIYCW_cBU`^83gOR(sThWFRE*g31Ky9sU$-{FAFAG1 zKb!WU*hpzn03Ayo-am$i_cVmD%)fp4_^ycX_wY;KqdCdHhacbmw-5g)^lbAwwby_C z@E)%ZUXFGDe75bAesh7qU#{#spI$!jp+27#UP(bELF9pcoZQLZZ)%?Wx*|#A z>uou=Q_kGJ-i-Og**NGE=jTR^q9}2{nX?s%+t=qrs?0X?g4?$35oqeN@r$r68H-wt2=)U`QunC4C&Yo{jd)En*8x7XUw)rjImeP=8i z2CHNK#`dyjuU>F>;wwzx?NT$Rcjn}_Vi8YfqH1@9V*dJer^kLa=j<>0EqlD$kdDi$ zL>qz&$(WQfrkPBQdd4}V^Yx;T+ASo`np8~9a;7$ei;&T?@;>7Yw~HA8@u4FI?^bg% zd+Sbu?JBFA(e^vcTNc>POgsrbl@Q`D`yCK)>|)2{EGxIk5#}W9G&$6Q-SAz=lhCgh zh0JcD=I_YY{w4g-x!h4bg*(Jy(KGXgBzwQ`MzpZ{P?Of->${Ss`coq>hx4^kPpL7nN56 zFsrVik$Y1wW-}wqjxkvl*zLbNH}zs>jD$b1gaQooXD5AQl4)|JJV~|i336-hB|Ay6 z@Cj1x7UI+3rr-vGF#HfLxPd%S$S}r2GO?L2`SKpIYZq^HeQ$9~_us+xz5Vk3^TYor zd0G5q9v((ME{oAiRGm229{k&zI*LC^}PK0__q8^ zP8_C-p5Cwfi8p@r1SXQ$)dgBRGzPCT8|>#V@$pkgk8l58{`t8%_RbYQtVq*yF|lGX zpjM%4VA}#r6AawLx>-c?9SqnZ7(P7yt$d=_jppmwP=?7FipXw>fXcmIaucswnfC6d z^*Fm~t-yw{XUf75?vF&DABmnO9K=62W$b!4cAs3F+@I;L4YhjMkyed8i_!FCetHPE z;oaxb$>eh3rT^X4n5mT>ewe0KxI6rtnMF{rGBh)S$p^4!{5JroU5B?8aIQwRQc7W@m|!rQE=5a*g^GUN`(_?^l1{4qdfF|0v{{kMy*_(I@ze zpO-kNTk~7>l?~I(hG}NYzVe~3eCR7*N~aj4Qw-86hQTQ6ygJGI)!*Y_MrO<9VBiq{ zvK*XT4~7rRd`q|VmzDcjS8JZ`mKM`?mdECB@L`(yUvE~ihmh<+3CcOg{@pYp@|@a`N!U6+}!%JHe9ty*ZrlvU+2NioXP?5 zgIMU-#RBK>xL^JJcY68n+n2AFJbWN3t7re-J$oP;uR1?|zbezL#faahr@TG=fjs}J z<$glAXs`Lv>!ZM^S)iQ>X;x^5X)X5I|4R{gSt~8i45CxGG9^cMrb>#0Cri&cgU)DZJZOmEc%hc72 zd2<`h1{=)=8_kwBnh!Rb4>p<)Hky{J;L=71IQ%`@XffF6&L5_Ke0=-v!(XY569t)X ze*O~Pbq<}#FN=TmlZN2zaO#=OF8qWGH??QsHM?aIiJhr!spr8eAvwE_FGhJs}r7~2KBkEtZr8`J7 z)p<8I)L!j2WV=ez>yH@c7~F z!~4e*8-85Tg>9YdI@FcMtNzD7=Ufw)0g*TaMB*$U66XMsI0i&w3y8!P5Q!Z?B+ddN z@s)r`d<7s9UjqQd69CcDF&$~hvX~Iv4$CgG<=qy|5w;bo+cY^qw{4^42;a7Cl(x~h zcxrZ^>h{8|NnkksU|xB*4{_+2ySICIONwq+V+WsfuXcDX)k*5Td1d{p-G(Q@vm)0y_;VGm=*I=uetp1lrN84};qR6U09V^>_BD1}e1+ZShdQ(;*?+y- z_@1qENmyr<&YImb9x9F13ASR$SE#BPH`S`igS=t>_Sel3pvF; z

Kir}#?9DZT=7imx$U;#=ImJCcai%dISllU&P?ILXywL)#c#tv~G5+%L6R-l1M8 zc2a!P*Ypfl^G`oDa zKhoWGt=XI1F&^}F_3~(>yIozpI~d~;i`K9A&G2${WUuF|^^+YLm3~>QJ=*Whx)hOn z95%z)uo=eY`2b_uUGMXLdHb)g|9i7qpUUSC?|x~Cg!l75z^KoUpT4BWFQ3A@w~JE! z&e>6c>8O>!Y(L}^d%f<77+v^@!|sgks&wRobpb@$6GPq3le z#8$pxE8m;oRgq9o~JAIX7$@O=R}GZKD& zBz!Jl|M>FQ%L6S?#t)x9efW<~!j{rD5NXAhZ(7^^^S_l(507sja!c^TaGJCF0k0+r zoVD1?s9eeDti(!H#O+3t57@Jijyb~?^yP}a+-D6fz+S-`Dz?X(?)jQEYIWde+2VNk zr}b$5Zpy$&%@l|4PiBwCn1w+ZlmCU5g&)Fxf$+zZ1C99!gCFS0?N57|IQxB>A0ypu z#eL?8d={z_V>F_Z`Y+M?PSQ$Jbbe>%)ZN- zUOa279~&BH3a(GR^8EwOd~k133Ej`icy%i)>+vAN%Udb=)-4%q%Q*#7g|?eX2k z6Sq_Qpiswvg}{IK_;6O>7ZSKrcp-sv%5UC(`A7K#JJ6S>>h2%g{4ix1|-_)4U zxzIN~*EfBnZ+cJ&eN^Cfr9x(?VJ1yua((KhzSca1Z%ZFl@%9)bA-pt?uihcO}m_EGE504KY-ji7!0=|=Y^YiNMhxe)U zuSti#ynkOlcc(GH;qfoM_^Y!$fXV_q>I5{pCq^1dP5QI_~1G^332QEIqZ8VqjROt~)4VPRhSe2CRU+n=3U zP!XaR5+Rl{A_fdBmKJgL{7JL8=I?42cVDV*7N<7sejBRYXJFoJ=XCtjFaLCHqj>z2 zgq1HIh)$$;8XLrToUCcG=W{jwx*4Q}R+(tlmNL`L$yjmJac+my#+L0ui)+h@U2eah3DdnDKa52cTQ)G! z@Ut>q-PyZ#MF!i@?-sL$mi*lQ4}PpW+l0=}{(SSbY;K2{kJ(IOX`1x@K&PB{xFJkq zvl!wFP#oUq6`O_ao1AF3!>eL<{)C;_Ohx^&f$4>tm6@}-y=(OSmd#DHhnCzio6*@h zn_qvOyf3Ubsh}E;njgMedj7Vw-sWNcQ14PXQ?mE`>oLUPM_Tqio|U1v6`**H^o$Ah zSBVZCmcJ-B6Ui44nvVE25))_QlHP21xn_G9*|sbi&ayppwu(*zPmh+ik+&1Y?J$WP zmmWeKtcvUmqZsYhXm7;Gc8sMnhj=?tZ5R7UwI!)$CXvr=E}NM|vV5~L3zJCi7UsGq z-i)Ogn$f##57ftD3f^pZx%%^P7Sa`LUr2knM%qUnT_x?^jT0B7eIoe+(%!TE3TY2B zX}`esc#}&PqkZ@BQ~Afk=W?^BKH>AIJvZIBLZvOmzH6U{L5140r@fvA)SkEDsI~IS zu^_>!e)X-Lq8FV^qV1l7UQE->w&)E^-r7UZp~>H~heX@rQU@00mYte+2dcRuxwLM}mrGuKi=4Ok==EY|*Su11ZYtgO&@t;8 z%f8Q?wUK{G=BxpGxGA(V{qXqD@Ba4Bk90Z3=ZDWvkX`E7-W)&A41oHjDY##YGxciZ z(143(w^B)aWKw8fe%4ukrn8<}^^49nj5Vz!ta~~lt*$X8PD)OVDS6x&-uZE2yLY*-Zij0I>7zs6VV9K17ol&x9C|ROpm)(55a)`>E)QrdK438D@Sovko z+M>tq@%Ao*XSgVo?E}so$NdCJSG$tlT!rq|Zf53oJ^%X6{aTXelB)J3)odiSHD;D^ z&blQtNLnlG4kV?$v{SKZrn)!F<*Nm!Y2D1t<@y>Tm;F9fgv|q+; zH%d(4cY?+I%>t2w)P%@i&#}B1ni|Q9#rnV;YLEP*Vrofxd@iRFGyb(Vd+P@sSex7Y z-B{C|i8ZefO1EgrrIYl_36t?t5ILI$TTwb@>0{9{0l5N zEtvYmWv8^WAV00=t<1#kZsPB&s@JWmp5gO)_4+KIb5c07d?v8>;mnx$!0Ct;mhYCziRiUzgJzN>UeRc8ZX!!?pYk)jER=ZyoCMS zJHAb*WqtwK?LpSwADRHZI!zbW4)4cX80B#FWy@fh-Pf$%3}uHj6-pX?1c_m9B~7;y>xDZNvI?ooj$3-m%4_cH1GE-o&M zy*jn=!1E6Gz#ga6%+7?=&l5bHJzhQSrl##Bd=7s^w3DWzHQm!;ms?JR8^+{qZ~I|G zW1^qNU5nICK-0hR8MwiQCe9 z2>^+8pW`?VViwahTTYwL)9UejM4Vb(g|w6Jg)tM;*z3lp}avllpS%P%t@W;rwSBUSJ!#Gy%xrsG1F zMmJXN*F45u0sJ`)bg$H~QgU|CXUJa~|GetOwU?#1O#Jxcy3QFrA8VZ#ptRt7N3`9a zyW9RrxRvbB#Ed*p~sfk^y(E49qA$Vfwdh zT1>zDUwZoe@$~!6df#&T_mi9hX~K5qcl6`UrP{ws#qUyauJ$)LmNuQf`$bFF6C=%HEjVd zrhcOv2UEXadn-6sOuFo|M!Qt|`DlkXvq{(ICw)ol;-t$BqFhh9-b}iD+N8^GpL9vu zZ`PA8*GO;Jp5omnxpt>b?M~Y!rRZSN_iJx<^e*fpJ%<$_=={?9KLO{nntv{|xTy21 z$l^E9_PDFdxx4B1?Za2A1>t^~XnB-} z?NT{Ya((EhEtlNC|K;u5aYi?f(jswsdOge3-#l!K7Y}IV)9hVOB{#bPZ9DTmb~(JO zLCnol!!f=%){uKBRbYd+fn@2~#s@M=dy_Zaw9YeRe?EA7E$VQG9Lf5g}8NqlsQ z{PKFzH@1CFQg>FPTAqN|rql`kR8dXK)vJRgi?hN!RC{)FJCbgvUikJf2w_j5rSwC6hh%uhUoxajlh)wPalRc(a~=C3-pxqNtmuP@!* zr?}W<&DGJ8DL;R3yvw&YSFK?!rD!_-bd@Oe#jlfuXK!-X7(6T@^(XaPe%=dQ>v5jAthwHiosECB zF}qpT?2a@&huePr)xhDI_fh0b;M(=l@+w(F(RLVnU;O1t{N=Uc|Bb!*Dxu#_`ayy@gi3V7?;COfH(ak-V$ z#Baz=`gU2C7iC#qkmbF7nr|}bU25lCin`BcTqQ-^)4a18V>@a~DQ0J-_!-*2UW!{| z%caP*6tlGybN7`}%-su1G4<>u_)3atjLQYPmUG)lG5>Zc?pD#yNip~5rI>HF=jT$) zx7*j}CwR-cEA}T}$ad56?f+6%`!Iv~o-%&B4B^W+7pozMSPePEYMv?V_cMjt*Dp`* zC{uVib21&FV(m!D;ttfs-)wy+s-#P==MPku0Ka!hYM&n8<-B8pK9^6wg#KJn+b;Zh z@$_vs&MAq#U3l6hzxPbl&7#vUHAf*MTWOvBVfHn7!G9hmqyJny{aSKb=cM|>Q@%7twTA}+4 z5S_-{IRYik>x}Bsm)UJhim@vde*ako3E=hHt6o3 zLcAN#tN}V;xl6V`dcfL^3d66(ZM$N~v{!=~DLV1BVvuhKiUzv9KtL{UhacB`-Q(b! z9m{!~-(^4bQl5O*raAfB;YTmep3Z!YhvRrZ980%#kH03hhb1xldf#703{}%dx<9+G zcv4>5Hbtku-Rf`KwzH=Pf^}c>njY}(Zs?spiSFC7vdem3seii-bXWbS8%1AH#ze3F z?QF=~rIByvq&vys;q&_s>5MHO(ph#Id@_}@zOH@ZtD8{akBE#7HpB61UU%(YTK45k zGuLjOs7)%`-<+{9Z>vLwvPpP<7s~4M40`XO>~0KOQE}tF#j6*7)}40g!`7A!-^v;f z(kM0Px{_O?u2%P{tN!pNZtYCi;H~pGf2i_jKlX8Q3;AqPZ4nx`7 z@z>3tX*+No}M2{>c6`J8TrTGS6t9&L^s58 zK|&V|tFdAFG|bSv_zl`waigO{WS4w-md5whaSKt$I)i?q-xsOtHbtGF=q^8Sfis__ znQmU}Q!AL=iQMT4v32uNp0iSLc3c-aw-SaV#^ZR?X~Hw)Uxvl^3;k83zwLPN?D)7A zt0R_keeEp9+Ksg=zm~T5^Samlm!c+Tz$VE?)G>5&aJlC^%0y&Jj+)gUo9Z+2_Tr#R zG!`zV4XSmN{%6GF&CxHC7H8Dkx!-|c=Nhg}KRlaFc=$bv+j%ZV-3m!}>-iA7?-lrx zE+oEmCsPM!7RpYEM&oRBPem@;v({2M+yJjb@LG&mhQi3IUmiYVeED1gN-KZB z(&?Yg_beEa@T$7y9`Y^9`U0TS?wtp}; z5346Vi=WuvFd_Rc6z)#RlRC!x6hYOTfcaJ&#mR1lgrI+%w}ju+cMv%X6rr4 zE42J+R_3gYd3`*R?P>D`yH;m}X78@v;rR-KetxO^I-mafsb1+xN~jlW(e3osm9k7* z!)$TdYfbq;<<6e}dhXtRy@DM|%u2!5$IJfrRWNf-!B$rm>?oLdCI#z__IbS`(|AFh z&RNeZQel2qqu_@oiAs5-zx`=;2CpNKc>gt>lRkCd;@IB8%HI5C-k@1GXisiv(BUmL z=+Gd3FBxoBZeSKmaYG_b`JwXM5f=5}^hdY2;l-~Rq^{+3&?w_V8|9zTE~kKvcM z|N8pBlZ^hUf05Yia@rL|K4dxa@$2%#rL=t}(b1*mng(y^4)aA~klj3KNph?Eso8KL z&1x%mcGvm+!SnSEHoR>ii!P0AU1|1eb%RZRb@uY1+@*4+Ir-CR{ZUNhg{>fYLnjXy)9 zEiZViMRU<6MR!?*_ls9%@8NKH{E~_v+V(3=9VAPva&M>SYu#ooi<#!$Zp?5>&rNj zgEEx=f@1SwZtegJV@WhR=h^lvM(Y#rU5(ih`mV8S4yP|pq4a&+lwOqSdbh5$KX7XM zSw<`mMl7e}pcl_-o;yf&W{fEP=4f>C(&z>T91LrDP-Hk|GAR3n!+7V8jqME<#SRC; zFAs!WE0N7I^}qO&WN@aOdjpy7(xXrP?GHpvx_C4YIjQvQGgYfSl;tIr%Po${aOm6J z)r;jtd~zzV-|aZu(t6B)x`lkp|8^ViqT6P1>+bR<-NhZcv;Hl<%sxGyuB^0gZXSn3 zWj5p~Z;w8Ry`v9&03P_UN^CYKIZJCcuYWxF;6OJ(cAA~c)i|kPr(9lli@W7O_ zzh3`1`;y8of9-&!Uo~7U-^@B_hD7wS2MvQBkm(R=*J;kT(?do2Ng02!mDq9CzWwv+ zG&?E1>>IK1@2lJn4^DOnNWkOLnfNVn_p@J-lZAF~9t$QRNQB zKzxH39QHyUj;pIUAJm}M-z+rh8lfSzxXw(dJu@K&Gl3tg`FA85(_b*i?F(1>0=G=l z_&KLWD}Ol8rvE_NP;9H_<}{?^4?nt3e9gsG-L5|4*O8-78=Ypnv{y{IA^WBG#-OJ* z_&Dp`*T&RU6KfWqq?*kBIKz7U%2_|dW;Vl%vyP90oe+ba5Sv*y^P!*QFza%db-B@c zz0~>x1`V#0^Rukvy(^f1s85gfdf)Ezt=_K%g3lCQjlcL-;q^i$%rJ}n*Wngs;L=ggU@@BNS421YBlC%b&@$;MA@ zjYo9NAiH{dR9Rnyqr)k0lGwle9i?V|>&>T6*9!14R_Q;{x9{v*i=6GbjB}>^q6FD# zb{ifNJsvuXJi6iX^(Q$enoGG6BSaEA5b0_JyY^38N)v*e7u&j~HR7CMRDO-~+00@? zk`v8q;OE{vUx_uv3u4VPAY(SXmqer20gE}u~6W2fZ zwd)_^H(38zN5cy#7?JPn9*?zT@V$6P4lYNY);9(WR!t37O>MlGm^2GsOb-`(=;2}y zy%IJ)<+Iq^`D5~DeWJ+h+7rI{^mspAZVzoA5SY?S<}W7MoKE4}of`pK@TPYTiMJQ( z=!HCbA;RY9`N^i46O)UR=u?NqI6A7)BmJw&&MeciJNg+1u*X|zG6?6s- z<>OKQ(P@!zEFK>8UOugp$Hm8HB1{@Nx5;j>V(xxlh5YTl(uxDruxrG2 zzk2@D?zKdZgLRREb&*ShWd@6828(8{H$M}+dZ;ZZ89xmDdNIfeg82?Q9T=$Y$bO4& z?AR!G<1Dz@3h>qd%~bhNa?FlFkmrgt+_jEU7H#binZKsmJGW&V+nqjgFt@wodPRn{ zgP(gW9_M36$i_<^Xs(1fKNEctLc2a~x}ss23BfPS#0K6y!9ZVU%zIY!fOz);oMxW7 z9fS^9?Y%p|Htu@2)qSkJU&b&)^3VdbJdxV4D)SYU)X9x2po1-)q5?J#AJ`<4PXCR^?9p)Jh0 zAJVb>kdEbV7UADA7(Dvi{Cv&(u*mI_1?R>?$!7ocZ%~T=`@^sOc=jTq{s)1@lb(S0 z@b~Qu(Dy&~FWy^hH!M22w?{S1liYT4kKd2eZ9&V@dRQaX!aZ)1LcHwOA$F_nLg> zmJWQTIxzcuZuXB*h#ahx9;}q^&HiY{^kByHV8-<5g6-BUn!$~j!Ht+9cY9sd?RbXP z>-D9we25PD5FHMd*(@zHpIhd|PVvIh>%r3N!P4uIhsQ%&#GY3ga>_)1iikN_w5^D_ zYi+GNu(fWV=n%)OM*Q23>|2_0*>Uh!fm z>#r>;2A$YZqw!RNyuAV&?;MI5DQrpK-qia_Waj}``0#NSRZnlim-nAaNPi3Q9sSks zDSY^NUtiBQxbQcv+cX;8qfHz)op^fx<=wmK@o?m6CyF{!_A!cDZr}}Szh#peFU1}2 z#2vx>knMUpFmtcMFX3GaQ7LcdRrvV$srzf%!)j|I$Hk^Ky`RQQEVt9b2Q({&%?#Gg zvFrxC8#b~tY*Ygq)d3q9xd?-_9kX#8O|X9OLl(vGXNUYdR*YM0?tcDsV2=A~)1Dpo z&-P-!mWm)xZCQ%&`oJ^Mcs4()2N_%ZDSmF-H~o6TiO(O5WccfmUazE#REo-dPgSld z_{VDt{>!xm^TRLK7R6{U7H!O<58Lpm*zL_tmXgI_O*LLxT^Un_i{w)B(I~I&cl?gs zWahGWM&`&;&Khs5H(3>dnoJpwLh>dUDMiUuIH#Fc8HE^VYpsQ-LT3~bH`OHO3^%3f z>UfP#MW2+dB34n+0TfaOtdxjTCkvI#nK=OjjNeXO$TB!zU$ z=Nc8G5w?ONXyuhmGP+!OqW*JVIA||1z zvq)SL?v9&T6$5r!3tpis2{Y&fuRd^#qzkV`D;{`k zRrsok)j1aBt@O%(|0xS!Lj~gmGZz1-iofHlzG-cWOjUsqS}_bg2a!}2CW3+9lOPJV zsa2&HCMQg8DY96l12fg@D4EvIB+<1c__9`V-eqlKR?f3n6Qo;7NTY=$qBcpP5ZhW+ zfeRsW8EQ40Q8R*NURYLDnZ|J0hPL1a=w~h=O}u!+trNnB6r+~jb5kAFGIv7X3AL=~ zI2R!>smP)+=x4A}a}{`k&Vp5=>{=dujM+kGj0eLKR7Y47F)W9Aag<%W$mm6=ISR}n zX5T^g=~iZ;BgQkyF67p7Ss|{DffibZ_H$LhfNE@vlk5h~E%+=TcMz-!`Bp+o2L@Ni za+|gt*@Y%VE2K5j*`#F-P-3I9;9f#Zve=Q`l3;p_Pf;idBNCie!d6pC;FUSac4U{P z61vZzo!SNm(eO1%{6?c_`d)Nuf`K^jB0w{WVHi+`A(a{SJ&7pgq3p`U zWGp#_!ZmlW?cTyFLn~pkvTa_a6Q9a4hlyZM@lpxMH-sst>@?)lL@~;4Nkw4Zg4M~D z1e2F)P$@_WE|6uP*T#ht`Z zx*qBpO~H^;k`@L9EhkZQfs+MmO>;JoOU17s1y+dY67xO==u#CbW*;?Byg*l-9p&{Z zYN9v}>yW&F(b2VVrnGfj!{|eKiWueiy1tdFRI<=e$WK*FhN6s$FgYako$F}weHFD} zLSm3XC~$y7aolkwH5{gdv4YIdWQnV(DL776T~vS}5OP%tOl9%jYgh;4#i$S0^-VK) zQdkQ}hl+5+Ri$bPYZOSQ%X2-siXa@6_0AC}DKLmYA)c`sVSE8lV#6&8eZxdRPRyOs zcS=E9gArVM*!aX@l|!>-zD5otRb4|wj0(c)z-@YCBKMF&BLN7EBiE;@Et2e__IKLd zX?v&5oz{0+-D!EJ#hvCvATY9X5LG~_>Hr)QYnSmb#r~sDaR0-HGl%kF1$>=Hzd`ZYk1WbE|^^m1uKX+&BoiTSt-=J6# zKz-U9XponzdIl7Qsi4_Z9elL`zN5n5YpXFOwq~z=fds%jDY&@?Uuy;dm}|H?$R@-U zs7}TR{2>8sOKr#$Ru`BQI8U(%;nM=hiDdv-3s(bsKz5DY8Glo>vheUQBV0k`vjd0) zQY{SqwVk=L^3IAoiyy4FoT$f~Ga0N69-;(s0@9K)f|vkGfkm6UQ>zwL$w%u@jD`c! z;A%)gz@O+6;VLn#&ZkBtxN*3NfFawgAb_an{7yXp(_90XTw*gn z$s`~NrxaR`0MRr=vr{j@Apo!h58%Wyj6tm4Nx_S%8R(vb$D*Hhuc`u~p$S538j}tC zR2cAsK|BHfNnVWV?e^Beep}3Glpd(3R`|kPoy7lFu%BeX9XqH>6B)@X*<9d9AfJT- zl#t-}OE*w^=lD)l3nKuLx3Pc-Fr$Wr5x^EetAx;KI-S_BDxl}S0&z=txeP3($SA|s zDOFrnG@Z`fIW%nUoW67F&dDYf8%hi^4(3)UM<_Z%tQGwaTpA=RbKi6X1`)830nH^q z!ziNiT)G-Ff~n%06hKEjxF=Z=2|^0^2CrT?VigDWa7<#;5oTaT;B%qZ0zMnyp`iD$ zg9w^nx%sFg;6yeHqG7V^3ikJ&GOXYznLt6#I;hxCE^a1|cL@Fr6BV z2O<*q52C5kK<|-`Fy&lAbOYRK7(!1A1TUh68-um%u>6sZ1QGVMPMP!At_!lHm^sP!Y`}#+s;I zsUwO<3q#JWjlw&`>^{Ja0xfzA99mfCMeYpnoF5)l|& zu|LugL}U!XLh^w8U_L-~0wdr$VSAKr0Bu)CfEpqM+art?S{Vj#kf4d6mthjB%0T(70Q-Y!TAb05m|&bT!uAx5hp9;!kwFG{CZA{2IX}X|116b; zm~-l=Ph5)t$pNNPh)U1s2%NK|P{*sR6)laa5KS&30*l#V)EON~h^WCG10~^zQM{MH ztAv{%3erY?Mn|ND=s6cstmHXGgwH~244@uh&FAZN1QBpX%W&|%GFqHrhh`T_9Im?Pea0OWn22KHRKoA5~gbQD3C}E41k#28(L=kFM$p7NBIW`S57cb~pkajZ(%Nfu3N~68 zk!viuW39bFL_nQA6x%{wF}ch@*ns|0ricTExDjy|h(rN@B5M&2HV~nM^W=FDxgf$L zRyQL40uktTTd9ZXfN#^>0rQw7;1`q<-GV9?>;e&R6P_LBhn2#VRi?njGQ{EV)9{WR z5q^OPoH51^kZqj+;KW?f(!TQuSDo~=>9G(Oh`{y%K_g&9AZIZUU>Qp>dqT)M9J6NJ(ONb<2y7vRAszv;Z)@^gs0&13f~}A-aR4Kyg3YPAK)V=L2Z8wOD%%E+ z%9W3R7YtRMbF`oZ9$8Ts=N*W>XxkFprgpR%2*gz2)gswCZsB1vNH^Oi^o=vNa+6`N zt0&735X&eS#*D&Dx5%3dgAl+)2UidHt}+7{EUpOPn#ACWjT1dJyu>sD(I^N29B_<~ zO2?%}>@2ERJvBJu3fK`~w}GrfbdgYHPGoZl$h2bi2GIlq_K^reLv}nA=a@l&A}Gq1 zou~_UqcY8ZhTzyl3(OpVA7M4BS^{FOr-p(049h_)%h3@?iXL{Q@`8|FcE$wM1OuxC zdK4L?36m!f%<+nN84-!-i`g5-3!_Vk3b;|)DXu33IQL&4@j8_U}i1MAt(T@*(Xbo2C+@az%YXK)PNE) zcwsA;i3lD3623N7Wh|n0K;vPgrJ!_@@D>2oMP|6PTp8pK*4K&BQzNOA9*&F?79iXa zv;YdK8Dc3r-wSHYYLT?{4A?*vjtJEgN(UMQqzr9MiYr)e1=UsreW6?mTB@L6ir&E# zO4w8h<1A55qMSrINf?&C;1i%1fTCYKb zig+K6lEfr8B*&Gz0h{4FZEeCX5fl_bTS5RD9I!)mYwo}`nwHGrV3?_xNJ-!nCdVb( z=#`y46tvooa3}&X1Ib2!Fa{_Jg#aXu75KaMeIpMn0_m6*8Ymf_3veJ5L%Vw_4DxSN zN{}Z3;9U@3!W{+yNCp%F=_qa(>GN74sDmj{R?iaLF?tA{%q~OVOctfetFWY_MJFa> z1qjojx@;9@HUtVIF{k<}EU7fK4q+9zQ>*3KgG5n?^K7gTl;#bUCtL)V4^XE)Exm+X z5swDMuFNt-EX_1&hT-c9)I?(^s0=R;Y|D~yh|Fn~rKc8Y(rMoxfwqI3z>C;SyCsQu zQgcr&CMX~U;k3gDa~8OlywI{0X=3Oa!#tj zHGCaZBQYlNG?$)Qky>E_fG=R4Dta9Wu!jU(n-Tk|o|=N)$H++tAxpGV+IAB(zU*hy;Bx37HR{unVy=79M;lB z16$_>a16o3nwqCr=w1 zve3eJ81(m+Z#Yq4fQORNNEl?ydI(v8e8Ds+_?{BU zMP%rSfUh5s8W=&~77&cY0*;CU!wdb`$B}T+k;2veAKAbBxY#qJT)rda)Iy+`K?LO0n{V%Ek2XW!9AVsw=~0RHB{gAIXgy4O zDqvDiEeoJA*c4bgO11+7ML`@2w}H7AZEy7X`NnfZc%gIvwy4sO?}QCbv^v8E$p^Iv z*ysT1jG(1V=^OwRKr0iR(j>Zg1k@q~5q^P0NYP?K5ePjD!U-4z)2DHO8sr+0kw?@6 zrUW=QAb7;CkX4E&tm~=C&7r zg6^oHk(fc);*{aSDVkG`0W{k#x+h*aKvqaMZ460pzG7|!;hbPo@ur(cf1{+dm@cSA z@m9gWdQXA|`SKQ!qce0c>Bf)+Qc6{LSU~*Q-q4ci~yPgJ_3(1DJTs(M}RiA#w@>qZ%D8U zkT6Qvb--9qZs?1JgO;_%ff|KCaIFQnOK?nEb;)YYVC*RW!S>W7ybvI@%aA7);O!kn z8@4c^VX9h6AL92L5inoT!Db>fWEoxtZiab9*;!zEn`$d>NJs?0TawJnKp6}Y>fM}Ur6T%~lrrofap-F$cM*DOz`VfI3jJ~( zl7`79z5<+u0AR}|Y7vM6<^z#cf!YJJI|~;DqewX`eBhgKh&KT@tITMP3rgDwkmiCA z#7X%ge1k`Ts(B!%1f&Cn$&&K7fOLVlRA&r8E%G1`I-<83@e(boQARV^M6q)1)(Joj z_FMtUdf;^kOosntMq%u#Eey3?H=>qmK{OV!q(o1^RLVZ(6`%(O0n92h)h0ujduo)E ziN6uL(B3OTQvuUw5s?Imf%-0qPEW>|V7OK1jWNOS17l2K3T9nL1zVLVzf~&bX`j); z186lU@G~_B@CyV=3&A7?l2$rQas|OEz{|vWE@B99%@pTZ0p6ldQp<>r8CU_<^9p(n zqi=ydp}`cv+2&X&t*L@>EiALr5SBY=sKbt~+gA zQXVMc39qE3gcyYK1bH2UuqU9td7B*IN4(w;6XmFoA}EUmm! zmWO~AQ%r%lA04-;8blWq3wPezfSEx2wIYJT)WAn@Iwc{JG_((bNVBJgiFbuyqesY? zpjC*}Vbc(U8(aNLpKs7Ah#cZQ#Ju1aL|A&@Ou*gLQlNWk z68aAzfoHRH`~_T-l!FWa2pe8nW+hSMlnII8o5Sa*!Z`evq8t$j2?lLkPt61hS#<`= z6__!^V2E%zq82cm(wlo~WXQZgEJVw8@I$c4z)FT=IsleCGv#1{9TdtzI~`0d&^az+h1x(m z$+`nU*g=C7L5NDL=y2IEshAaKfqgM>M3aLCLAMP23?#-wtvQcg1lsg5n4b&oR zJrvg&$QMII0AB>(Ed3@kBq2kvGlDd@D?s>2-bDbTC?gU5^UzbP5|J4Cgb9Qf z$^l>|_ymBAYEbWC?kGCTlmOx=0lUC?nam)oFa@?+KJ-l?woVrC82%5@T!k=j2ScQt zp+sZxB9=$R1e>X8iySxz7#fb10T?lrBSqw`*rok{DJfUmSwJE>p^z=QE-?w@AfxY- z2rkKkpj7On$YE02x32&njIuQ{;|R5yk~#J^k!#O}va(#}*4eSq{;L$K@GB`x5fIPtGa3=^ltqwgkKw~n|F4K3Q zfhOpTn}TZ4s;LB?>8T-#3J^J3!lsO$APlBSPy&!ruqS$$Q|(~!U}6;FF3b~R2kl+9 zn!fZIqkS2^1EW5d;m?6j%+Muehe;goym1eX&x;AOh^@hmoSUMJm_^ra7fT z3#Ms8Dc_E%KJan=IgGGkv?Q$*kfkJB?|>U9Jvks`w;~Rj`^^mjG8z_GN@Vb90hytZ zObN6G5d~8{e>4K6+>Vhk#EuF$t?&Tg#h8U>_Pr&6_`y;@eqyxhya!j{edU6VbG}tsKJxC8WWvQg%<)ga4Jan1IV`%w#z~#%fk@;N=j1B+7u30 z1Gk$A>4GMr=NGX&l2V&191YLF(VTYiAlH;$2Mj!9uU*Qq3Un?fBt{Vnu?Og~07P1c z01UChbvaf+(P}%u7_FlrMu!iEIsg(fN(}DL0kRv~!l0c-%3FsPVN~#mBqIpox$opb zu$ydbrAV2{im*&7=pq~`uwVu~xQm`zrroNf@e;uy5G=QJ2pBwRF|H~-HF$Ln&Il&p zrYWTp@sOv4-slp+m7W?cqtoFe^evGSQQ8K$QKE||rQ4(eHRuOdBwiZPJ*Pv$l!ucQ z%mnRL<(^sv#)7$oUq_f`q=*somk>(=qom$GgBmQd30%Xa!=w^U12zCwV?{}dFHKJk zo<2lF*^Z_l{Hh+h4ZN;N!C|4)FwzVOu?S|NS{Q5v!q!^T31$+v4j6k{ZAC=jpc&9i zfOXh-*zpLvpP>`6L*t-E>xhxgSV~&=Or;^QB%Q_|3_3l`DMXIL9%#yI1BgRV0Yv1q z3D&_wybRy6pma;aq(>mnXd@byntTVU)7DQP03w#jU|RYXt=D5c21TH0$soNttd%e3TtqtgR5jpz&5%Ti7UAWTkl zGEXw$fbcYYcB96h!3e`CW+mxZ4c!Xhi5Wq|E7}AjV7gu0cGmG*8v+jSu-%SM)IiyE ziD0sVC8CsKL@_;o5Kq_)BhGzj7YabrJ&d`gz})LP@TZW+trpX(BEld6laCN8sv-m( zgfBfcMzS}P3>SbLE9Yz<<{K&N+T8wJQJ zWEgdc@GxiXUc~Y^jGvOTv~#p#riG@neL6D-+t_blUd&^yw0sW??=dXz5etQHSR+{~D5QkvH)O#O>gxjAgJ{Th(W@6X^qx^tB_;DEgeH=*4iQa|;z-ly z%-+P}XrDF&xO_xhslw+~awU?}X|B*ygVpd9iA13srFFv3IZ#n9R#sifJvD7a_68xI z6DgJoKb=g3m6UY4PS~Mup034!#{}{vEwb=ih(1fThK}&%o)0$y(9Yx!>GS6cUc! z(K#Ih)#4eh)&+`c2oZ)sAC*k7$Y2j=(ZTH_O4Wezkg zU{!{7;MMii5LjYHG|6vBbnx4lAXKUVB-WYEp_8pZ%mz~q7zn{a5LyZ#qP5v%VXg17 z3_uMr1|}T-mUdPVr${3yyQ$Em_+I=-t~}*J!&Jl&VN76GI5efusxtH14wAq*JS*j! zbK29=ns!_*M1YPB18AE z6cc-D6qB_jr6AxAV2Z#?I-yH@bh6*s?nK(Q#88?Ql_g+Bp!{D>3kIS0u)sMmb%+&J zB#V?O4H}^rrZU4AqZv8$O>3XPK1YxjJp|-H#0vEn46#UW8350m<%khs*AVFg@gn%g z3=7Wa)H&Z1s@UVWg(eB9CzrvPGBj08m62FN{?ZK#4sySUZHJ zmc|$)A}tPFOAG3dKm{-yUW9L?Gyo@|vS8^9ES+kl3sD&70ziG}8^txWHUpsMf#sc} zTcLn$DA%96RC{V*v=j#8C+rB3V05ex(kw|4v>*7EAhRBtjaW$#o^ejqN*Il9RDyI4 za|)klDtVx!SVgmR2pvu*2V3C)I<%>u19Bq<4rm+}9=*V}m2j7W4TlY;+YO9_d+)s=cWLp|y6qoM7}1QsDiKH;ne6GNsf-4pdD`ML?fXBigksMv`M; zfiBR=+R7|k4~HFxrqb~=RWQ6%7KH&rEN$d@3(jU{iy_srE%jcBwt0r=XDZHsFu~ny z0QC?AyGVQaK(X*lnm4O%#=?=qozemkBu@xR*8zBi2LsS_5rB447!n+5xff86a=E;Z z(3OlSD|BqVElAEef@c;m0wFp)Hsp>r@>DFO-gK6sE;$lu2P?!t+UF^|ybub&^l})) zb}7xQFqG2+C22}D0(T7IqJZ8*1+#5yN$U&ouri{F6+yJ3-5vpyqw}U31{@Kff?+U}21y5}v~{9s z3rA zb|cy;(&AdAVK$ZEa3q&#!-I67peMjY5+=uN2H9OjN7bMy2XQnjI4*HZRi*T&)%=Boy-je-iNL`Mi1q7x<@ zY;?EuId$ZTGbr3w%^)QVKY0dG>1$??GRB@fgLJqg!W6XQ%yboGj$K$1mFMp=lSvJRWTz>vbGc-px!42~;Qh?hwk-ko-9fX`bY-O#NSlp;?U2Mq%-pppS9d z3z3b6V~z;u4Bgphm2TUVa#Kka1SwQa!?IKb9ii23c^F418a zx-i1h=`BuRFg8T6?I2xPK&km;04>Gy;I@^5a>Y@zfl#5)mO@oUSJ0uVLYL{bJVoyy z4ie%Z9n3!%4|0^5WNU;7BG}T(nWe~cZ&Cs=Ssmr4hhW??7MimXGqro>#H}`?G25Ak_8l*MKX_Qka zryMY%VmV-z5Hcz)s-awY$T}~E;A(frtN1F?0244aS^-K>&VQ;h(FvY{sE%1VWJSt?GE6YO27kg>D9IHz!&YHz;nvHL}MBWR1RxJf)xl$|gGVYY_Wa3?6e% zmot?Ta@SMy)#MZ1=wcv?5K-SQFO7h4jQ0F6hnal`?xO#qYryipf$NAHgw9S|Sp9@Z z)Bv?1xbQ&FmMQo(-ukW^X-V*eNL%^`(iYFHy1FUaxu=VlC{GLl8>|Z;ShZeT7_0&} z(8kf2719+3y*109y;(X0sdS-5Gg?tJ zw6&QHlY#CYL>SdD`SXt!VYF1nK=32bxuEbqM#kvGR*J5(RCK!(sB||>J$nb>sX2fm zkb<(3!@MU58)7L~64~Xf3cBIy#X67~-M*WgMj#4H9e{IlafS8=ftEUB*4?u8LLHzj zU_g!J3mrw)-ic(O!I1(>F1z4}Zu)wW#$lTh)LZ)s4~=Nb0q@ho5^Kj2S^x}Gi{^ZP z&zNxTCHf%^tDM%@={^)q+1aI(?6b49Fw_pn3NQM;yhsm}rS&HdNbOAFT4t+#qWkTD zY5|PHcf!lQ5Bw$jQ79yioGy4xi0l(>3<2=B_yQoapdYsHhkDU|SOcJ~vx~YN`=@Q( zQiOzYl%CR8x_*F=cQ4+T+}6e;!Wd&1U4WFNqFql!1}W8fU-V1&1@4`x+h#_hd|A>Vzm6|=!*D2ciIcc8zOVMC)xoa1}SV?BIFDfJJOXd0L=v&6Kd9y zHm4ifH?ZTa7{95A0byD!>`0|cSLl)(7<;;0nE+#pCOB<~Q>;yAS1CK*!N&@O9YB6? zNHMqFWXa`?qkAym699MUP$s55#u7rIltKV^J4F9<8#kw0`(V;_HI^>$O`w{RM#JngJHDB6P*aUplQn6Zbv>a3JUfqpSnwRq}_vdJ7Vx!1`eKNA%a(dfvlBu9XDm3 z^*z;;FF?2Bg>Jh_7usx48NeZC&ZTe*nw&|>A)@@0P&KGwd@3O@q&w}ph?r>7)?g7u zgen2{Jf-{7*C0gZh4OSwzp@EQl60so82SID(O%jFJt%|@YSqMe7vThEJX{1_9}WNF?5qO zfIp`z?3e|_LPVAjTXx4?#?{Wf`apigCrooos0%!Jo~)s>ZmuZ^^;w!T1OmJ%_n9*N zjiOve=5z7YL)F2Qbp$Zci zrxOR;HJSrLv>#zK?Y|=sru_pbeul-Qy)gQe%H9&i0Vz>o+UTCIlno}u(7l#7U z(VRWH(uLFJWhVkA-yxSwU&|i*`Y0I-;*MfCRLX4reMssj1w;?1v8B88aH=&6;kaQ>w~lAPEXeScTIC z#)E|qbop=R@((Hl_BmjSAPoh1Tw=&20FZh*$gGn+Us({NAhGDU0P52KN3`={OmWu6 zwjV>t=b$>gWTMlDbmI$*9-}WRlwx8v6y%$3Q~jv2haExe1COLL`m7m`%sV=FW$B{z zwn4)9VRb7iU3kEJr0pa6m{n4Nz9WXQr|u+|L?|E;3P_r6gaHy^fV6s=dYWnr?pRE{ zMR~GXw0by9zj4RCM*s?$3+x-x#k^EEtp;%oyd-K6oU2z z>GE{ps%XqZAn;<%GhkivC=?838oUgVK3WiIw>qghSe_SZUec~3ee2J91PFq*L=r;O z=osyrwmYSzcQ4jF!s3X?&C_N3HPYRzIdRxMx?QC3cGafz_QjfqnJ@qXA_bM&r+{J% z^tBxXE`WjUrq!2h-dlv&u%fPd#p!x0No#C$2&J010r`vfb z(xyYqki5ui*SvT+#iM0_*gJqI6#^SVk)xIx6 z`?cJ*+wKvB;~$!F>czTY5uf`aDNLf&<-m)N8PO?y3lm{>6G4aS?&ZWVCdwNyFa(k= z`lg%Diln2$72dx~x0W7c+{;-(3&U67F)escSKbJ^IuI^^K5@jlTe_s@FWLqArXYRD zFc$j8t2glbnL-SvAR4AyE%2gW;C?xsV8Kwz7;VZbNy|}1(Xk2x6P??w>j-^cxD!kv zPNXjsz$>Xrw_7S(=`Kt342qKaPQYcoa7U6woMla*ugrL(>6|t#uU45TDY|{-uj`2V z4LZXJM+UkbuX>*7){#O-8y$?ON=>9UdE367E|M+qVIrGmK~j1G=b9xOX*4&+17RYj2*@3 zAKd~*9!}B6QfNhjQWA9p?t&F$%ycu!HHN5tm6&ahc*GgH_LhR85&#h@Zznwz*Z4;t zUIb+>@QDUK)LpDN&1u~ed^QDS~#L=V+>uz0v}iC({w@U zmKo*Raa%`PJkR+@}~+J9*7?y8wmqAn2r@uA=+u zruzEc(=ASPi?&eoIp>nH^>CfS)8%=!pW*+nwKL5U8@GY*f1QT=a)Vrh>-~?Aub}o8 zdz_?gKWoO_Pa-KUKtUv`O89i~%4OZ79eiPwY`Bi*G|`KDUTd2S1p)J?ix;1cA4VaZ z{P95w;w*+VZXYZs)5kO&($5t?2eBjoXJ$_@zWIAoXwMG*iPACMLI$>Qa!R|e@ThvbC2>Jk%lkxkI|Mk~I4ep!_5r;tctjBc^0N|- zBwbLOV(cIScavwq^l^!l{_}k`z!XF$fui@sm5NRY%UziRVuQ3=>YvskS=5RN6)$aO z1)8_P%%xj)nwA##7i#J9Hd~qqI_4fEuzh!{^F|RUS2L}-{c(@=d_ve#_)C5W&Wyen zk&YPs;=2t0ycUrSF0g5i*@%6B>)Hgv>D^tErJbabUpM_m9M~RF++t@1|49>YuH1t#%My z$)E&A5~MmtJttarP*Dp2#bj9q>2Y-LvOTJ$Jba#A+Rnz^ce=nfRLXPJ>7qH!Qv2+? z@v^y!(zk7$@%nDJ_YocR$@|>Wu2gh)?1aY2uWQm#=DxmYDL$YW=R!%!o@Naa(PnXX zweDmn{W}C-O9l!SWm*&|Xeh1G(apZPq)$Rd2$n=R``#>JFMMWTZo1I+x*~jUP22}_ zg%<<#kDFaC^=9SiZ^@{69q5S4Tfe%0yodjFpxz~Y?80F4UV8v`=cxJwdqaM;vjcyM zIE1C`#)1Te-zYhSDKa9{m{byOYEJUh%w~yC1OTsSW|@sS%{RA*w~gCGBX7lEI7V%6 zKk*cE6V<-Hg5V=n|L7!>h<}|_w$l+ex7Vq605)*n@@o_EN+Mp-?R$#)av5`{*X%SB z-|gFWsqXh1&exkKzfw{Pk=z}(DXYxbvhrP%yT=eDkD0QVaToF}bp3-EJKEML4*nRSTljWCUZ$EvR!^9@G<(>{4h+msnSEM-aGn@i~*ITs%9 zCV4hVl;Kd_O;rhbz9_H4PP(NhD_`<3)AWU6&bf-ZfmunwR^J5t@|==H1hRu@p{5{L zb(2v3Fgf%tAHms|o#<4JA+-AKmDkyaB;A*`R%>3^_uXGd)flO!|6`sAD^rzVeSMCp z;s&SrxgA5m%sWvFHC+Jfo5=R72b&#kj6`r}b;$_I^5Ybhy$KMt7jD0Plto-xsQ_>% z>I5nC`W`HaHJ^0fGatWtaEYaqj#<^TzV5xD`lG$86Y{F_A0PaG`?RI!G%!rIFd<_4 zf`&>tFcRXs??;`V`n2V@Ys4k5TzqFMKk>A zq8s+E)@zi(KlSOyqs+`)!J(3&IWCJi3=5r8(?Pnl($8JdlOUUy>nFaQ*g^@ZX$MQok81(Oc(9W0%#%hIz_Xj%NW(`?yQuEZ6&0+)VAQJtc? zil?Zqmge79HMg?ZSwulvS254AeGrA96q%fzTFb8dm8xn|{``zb=X?eja`qaHq*)YJ z$y-(VuT-^-<}G5U7sH4zEFuj&Vw5TpepFRnm!tUp$OS6`!0lw|7jFEGWQ>MbMxte5 zXHUyKEd!-xAD-@k!jAUp3{>nDOFoHl1NDK!raclU-FL3W#c=6>n|Kj0*NiF{WGUGP ztRVMBU;rAm$EYFj?!iBa5TE6@hQ!dX`CU0}eB2VL!?4>aIWR(j1}Y&FOoL;^WqWCA zxPcWA_N1;7imhMlB)8Hqkd9s-(3Lu|ZNF<20@si@@~K1ZgQfAL=7Nkx{*u21L8yiM=5%RB-U)4tfbshWJOIS ztmsjK#+>@wNa9pLKNn-vUWT?dXU z1o3vjU))5XV#}}i23tjKG*G zIWmjIx)D=Z(jH<{mYE0d+&Z)_vMioyJjW;Vf_T+>MS;{9g8(*@Zi^0juJ}SCvCc+1 zMch?_puF}-AW_Gx?5}tY)=mW6Cl1qSSJt7#n3-BK^paNoz8hU8+7&4+lNx&?Mfjjo zLY}a9yi5+?x-o98NCNofo0_K2En>1I$`2#H2SL7eE(1Er3Gf)h#B$#o;I)Q6j|R={uPci85x~*&B%}G>6OdjVDd%+Y&7jI}(Y4KFy_OFY#qJ2~FJ+ zyVZyiu^0pJB{4u}A#0Z6-d`>4GWQa;sY_kJ;1{q3V}aSg1{iVJmt7Q=1sC=zWAbu* z6l+Z4(x9+GDqpot(cRI5%sb1_W`%PrW-epma>cxX>NoM6ZLd~+hO81#SW+6k=UtaH z(p*5YQ$E!-LC4NjONf+FWOWRWYBDzuRAia4nQXZQt;SnR5UPnP8<^cTa z7A7lS@lRg!t>JM3$qrz!1EHoI*6kiJ9~r>eu9>Xo3Qxuh4`s=sm7c) z=t*gbed0)uJXhtli)^bhN!NXKBeABe6yPA?S@j}*1xqW%K8lO!WIO7cm4GZ~SMVuC z^C#+{nbK-4`%CHAOu11N4<hYTE{e!7u}CsV2EG81)>t6Ksp5|m z(>kF<7mIR`7A$ss$}1R>0(*kS>~_(d5Q;k;mL`lL@S3sq(I>Ik2hR<$G?#xwE)S&H zI}sb-m8XcD@(DXdDKFZ4fOY|4T)Yctm&l(hT20l2pzvS%YICIcB*@}%!?f62O&}Al zz@>k?e_6#M1&SewTpS1Hs2c<>-nuIGQ7mb-Co@+v`WtOHj&`ngDl&@&cew{OZ-yRV zvHs)sCf7%U2aZ(Z2O}RmxLm0eTjkQ7yP`w^s2F z14UOkljwDetg0tpL)TW1t*|2PPjO2z@M5Z~XVCjW2ZTeOQF-UmoEUbiw_BBkk4*ye g6tU*c)sDy_0`UifW;ruO{)k)u4ZE^LUnY|Q0GKxZJOBUy literal 24505 zcmV)MK)AmjiwFP!00000|Lnb4b0s&HCis4Th2At%vNXfKjHS{#MiXq(OqKo6Wwf?= z3B#Jn%E$;QBBaXfUq9ag-2M7`dC4Hv%cv@;Al-oj;NUFZ0S@5*$G?2@`LE%p^7)%z z%csu|A3ywG-vw45yYKG#y}Va<`;TwlES}?`SUeHiy8C5r=>KMY z57cq|FT@bj_%PkA3gGSVXPmu?^lDaXG2C#bn(me_=;`87FGamdfB)&-`;UM5mQ(-3 z5AWXo{7ZQME&DlqPY-UEMdZCeksr%v(70Q?!BFw$KYuFWOZoIITh-I|YW{XvRo&}} z=&GK%clUl-+HM~iJoKxY9Gz$9;jG`{e`4Mv3^)AcOMA$cL-oLrw}je=bH3R>q}!|Cw_9u>pX) zt4dwr7yfu%RlE_6ORKTaR`XSML;Aj0U~h> zh{P5Ui7g-!JAg=B1VrMQfJi(85Q*mi0PzGsv~)~I8nP@VFkk!#+0yF^*jA`}A&({# zuOT98e>(9}-wS&$+^UM%eX83FwH1hC| z%?3YK;1M|b$7Xpi5!o@iPb>at54NWEdi_2G_!neOJX7ZQLgsd5XHUM*^7iy9kBGpm z&Ln3~D}E%*W0gN0d-`RO$Kr%P9sBrMk?S1%r3zQ{;}O?>eZX?1zvIvFcgqEUtL-*> zj@=f|u-p7lhxR1);CX7@t*1BILM`cFq@cU|W381qj@#&=QXD*Jo6 z#x-5Js1=u`PAsJEai{v1Yi;9WwH}|XS+z?R@^X!xW@f-~O>d5**Xn)^LfLIc`2D3dl;z7UPY%{?=5ID5 z_kBJNn%unJ6i57mrvpSyG5x^UmO)U@AC=F_CvmBZ`M5#lgpmcc078U8T`lF8?47Jf!~Q4)LBC$t{ahL#cQE`~4D&Zt%90HQTF{!=|ge+kJYo zF8$qi_lg#p?)D!qw@)RlX)T`UZQcDc%k5Kio7l=XY~_0syebmv!-w#G6bP|;nSS~7 zsZjOd^+G`8TtMWJfXGom-HkN?pn zY$d}zV93O#^UpC@t1Yopv!Kl%6@q4?{=TwtV>f84-6lz*W4YxS*pKp z&-vn6TL;?ExKMB~1hWC{<{9x#_7LycL(95)7@uAa&kT>v-R{$yb!l|KwqD;IJipmm zw8ay*Q~RJ$XTU-uKK}G@Q6m--xKnr`fpf}lKm79d@(C7XC{I~rm-S7K6y-=!uJlcf zB-BFR^jzQck-q6sA@os!o0STgv4%NoqT3sqeX|&d9S35^f!M{Q^D%{PHEpx!D>30+ zP={sAb*0&>rLgcp_LmREE|m)<2fdjAB^3Mk`AhovAwPV1`1pYg@)-Kwi?=_o-hTX$ z%J7{IJ7QCGO={oCn`rt+jFf*R&%_x@=vv>3GzD;kR zIvVnP?)YT&`DFIF7zLyL@}Xh=jKfrK7qRzP~cr%7B9Qz-LxDZ64aoIpeHe*B2dK&QT_q+L!#?0XDtS+hp8MhThvv^9Ygngm%3p%0i zrA3K16#v)}dA5FyagTl5f};`cg5vnbw2+A4{V)(WGt-9LrHv3r zt0KE$6qDVW?2VY%jFV-f7Q;;g!rNhg_n---(<5zFo~6dDfRm$;7IM@Ll*%p@u&!tm3&R z^pfo6%52^YZM_t+86h&4GeYJ9A+xf#H+|$U)TucGiQ7c_VQ-1J&HuE*`!N0edCYS0tBqartt|tFKXl7FoSn%g}n9_n!x5UE>q>nX`5eugRP>)DNdZyZaAc{`t*c|M}C$FMlncA3i@pcBx}~bNn(h z0P2rT!QEP%saF$+MnrYCEVN8;U|J}*Vb)oHp|hS^^^49nbaq~YSod_oXuUBd?v*?@ zrsQ#Bc=yLeft!29cLqEouI|;$NT>@&LXnYB3nQUs-c6Z%WoMM^1xl7E*=0B1th}Xi z_iDytb%DoW*XR5zhE_^LGO)GA0F4xy^`t230?yNlE zvT9j^Ev&jQ_Ri%gxRP?>|FJ0``!P0gtroY!e%Z|Q+?`9z*{a6%M8D5gHTiA-X+`T=&%6H-Yj7A8Bp`L3oH*(XDt6_9tDW8sfnyutSrny`oupfrk13q=ki=) z#=rJvZ{?wbwYkmTjZ)o(DD?`_q?P6a(KK!D?3+WCX*2qEAzEFOC!yMi=Co=&HQ|qC zXIv!y<5+mIkwY`nb9OE<7fti^ww1d21kr3(#2+nPwQSj@4YSqp)rb{)yWmKlfr%F# zO-&3{d}#ID0zV#c8gh02crGoM&75C|S((LR7QMS$`0gcB#Z&>mA2HQFiK$Otm|Bhc zs^zJPsgEyGt;xT_Qq_W~Ph7A{J4^ZJmB5vm*xiTxeLeQN_1Fu1Uaxy!zsn|6Vvz_sl3O4`i=6K(~C5T>lx!ew-lQs*|Z1r~A@a#`M`-`uNuHLQE zPt@@M)FbI9i%g+oGWxMBmYzs9e?MkUylI*AVqNvWiEVO{aG5B zycbh;P58H8etKWT{XuT!M10uy+)Kh5HbBo>&L7Xy`=sOd>ueimi?b@G&`vi@Ss8>&!CIl9FUU?7FTrdv&v$8n%3>cBxz_IY{#`LzFec z&eOzi4l)M6Z6f@AyWFGC@%VmB)EYB$#eK`3k!Pan?O1k9k)ed8@9*_u+Rc=vqsM92 zW0H;?d*z6;z_jhw5=c%Oxss*9(h3n@5XH|L=$Hjlx>*kxy z5GP7MY?wQCb|xnEY(BQVpIW(ElP)R7N*`DA)K3Dmq`^1stm=8f4qib~)5pKV5PzXu zUA&)b-nr6nVbRq^`#GP5;p3y><7>mmmxgcXYtMc8Q2z0SrswmQ^3&&WG_!6D-eKL5 zUb$By5_|sV%e#LKKTY|@2Y%z*aUFWh2<9!-^z8Z;35@0_o%oy_d{p3^f%-@n_pA1r#&x9LF zjUm*Y3_~%t0UAnRt%TZzn@?oNE5a*zoQ>-AFKVlRQxU#mui27V` zeA=YTub*^D+HcmAF4stJ+~6Vzcr@v1ciJ{dNe7d@UwgAB_{dJwOIQJd&abWiXW)EM z^Dl)KkLvs?viJ?OJ??6Ih>z)c+|~0(x5IWOd%2u69@*#1t1@QK*9*e!%-{JA^ut%H z1>s?tXnBl??NYf=a(&>aEtlMV`1RepX+}4X(jsa5{CajuVDqpoUOb?cPqTLemE7zG zwC%$CNZG)fHF(A_l#u{?uTujVW9(m ze<=U)D7ykWN@W)-E8LGOEBvCh`TBO>TokEIQ*Fvt2f7-ai?SJZXkV7ib|zyhv5yF6 zd}P#NOyOOx`LMk;pJwa?JIm*^=EELe^Vtq~fAwdFS34rQ$G~T;4e^DnvpaaWracJVwpZ#wy!0^WMI z$xdoxTy7;b@f&lKzFwB)qp~a?k>$O8ny)hGJ+*T#Mg8L?S4k1~H1BN2*iLOJ#q6RK zzd-xfOL1##xfHpUVz!oI?w%>d+`Y0CQ_t=NUr8~Iak*gEa&Eg6^RJiUzKVWHin+fm z#eB0pKbK;@-M+p&!CTf{u|N4rwwso3|EIFrhZ)Rwl=0g$gde{(S&ccwYRn;4^GspC zpDEnFL3;0wGKI%8C+9<0tQ{#?+`qc`o2~C-m2~0u{DJBT@Ou}u4(ahd=N%LDxqSLH z3@4M?cHz&9r|#^XJ5{S^=qK0kc;%lq=>Ox_*yZ@w*y5Z-9aGqc&ZG) zT=R{UgD89}Mx3k*Al9+wHA1*?M zs_7%$pWT&wR$kjSMbCe`)!(*lXP+Mk*1xHCe!%;^)H{6={R_XcXT7h~zuiQ-tN!QP zOuwg$i9!9_*^qZjBi~M1cgf-5^M{Y=f-N7@S#}zHGL?(Iu6<~&PpI%mM5YFt;rM=D zckNzU_T@}7*KVGuomF(Wdt+hVR)-8_lknj-mDQ&q^xi|+?;KlEanqg2s~3LOopx=+ z)|QQ5ESnC}C^hQ3l3Sy$R(H9p;qWGJ*Cw2QU7jyh=I8OO;BW~z{Wh}>yghXH%8llM zqb)l+3}tVo-%fv~?ZC;1XnC(;K4yQvIkIoc-)l2|_r<>%4k}IU>G`3g;hQp$k-z_K z#RZKw z?)iZWocSWn^m(yQtzdR1a;GQ6*3AcpE=s}0aXr$xl`teR9mhMLCcHrYby$42&|gLR z+l~j%j*n}xI$}B3*KRS^ZmebbwY0sT*S#LT*L8LV>@3-cI>t_pF87j0ITJZ2N6qR_ zO$`}&dvVZXG!`zV4XSmN{xjk6=I9qmi!G`bU#JakDG&QnQyj(2)7_%?O^y^7o-nDw}@iKX5K9p_N(fsYh?udr& zA0!}M;O3tnrFPJfy@jx)PHe|@*wBu_?sL7%yKCj=0t+u}KrKox(p_fqb4_wa>%+X( zb!j25+y24aJglA!EPi5tm&;)DrmtHM+v)N0RQ0N@-9A5d+WOV|duc82l3Z?fV>UxO z+LrlBHCyjVUZLervoaTL%$wtpY)_jn*tI$%G<$dT4$m_T`sJna>wNl~r+TF)DWP7h zMYq#iSIRPN4YS2*uQlZZmAiQU>!o}5d<8p{n3aO9kC*-Lt6=7mf~~GB*ikU^LJBq* z?aO*artuMVx@0}CNQL=bjeb|7-___5HQIGvmm;u7cW&w4*o8RL68-h!tlKRr^UYf| zUC*-Bv5Qx`yii}BqFTMlBN16?l-VTYsIOO~W)OZ`{b~KCW4L_7iscP4nB>HhBIktdrU&9b9l{K?^Uxn-`2e_pVJT@)0X`*^fl9Kr)2jAjv$;8yj?ZOAR_Sh~F0t4x2#-The#}{|B1Mu+qT_ZA;ru**uDgN)^Lig*2PlxS=Pl+e? z^M*325aj@Oeew1F^Set!T=!K?v)1Vg@rU*G-foBu{K`lsPVVzbL>R}}ZIQy+HYhfJcQOU*S6-q0Q9i^L$idD4>P zR`*l0@j{x_R_^Ss^SguR>lvSjcr|N_G)#5&2V-0@}bd2Sd28VRJx|`{ONHBp{o?N8!%gyloAOXWhz;R>WF%J^w=;6I7^V{vw~!^bT9k&gLJ*iU>s^YN3|9Iu!k ztk`__7GeUY^war|IUb*8m5QAINQ++2y3H5;UfoPQ=H~Nd$ERyoeiDyebF$O*&^j;; zWVi33^<^5#K^e+_L9zKTH+O)AsU#Ym^KAPar1gpSUSoEIzBhKw;q=8Rl%bEC(u*>^ zck4>~1E;oMWW@4d#PWO`^wG1Lmkv^07$Zu*JsO>SY;+?74u-WnC^DWh8I}E!!+4jD zjqME<#SRC;A0G(2RwA2a8h+zXlEImB?hWL8mmYmAaDO1`tcynjk!O{jedubnhqAn+ za=FEEHXQn9clBa<5uZF4*za~6Z)rW|KixvU<$t@4chPOLxOI1VlkVaU-C6$@UxhzE zK3`dB-=4mViOOuuQ{EnZ5PL@-_y|1k%PO(i+{;;7vw8Ew!3PKW0NMTQe8=|$9OmaY z#=}o`k$P#-!rk(lPXp$>TYk_5^Y~cne%?AknZ4#Wxs?-@@Bv}NL~H!8jNjz=u8NL1 zq1$J(L5v?a*-+}`*TtsVeOlyzvVewu9C6>pdDe5zjo&unO+8?9DUm8e#T3C z#grSeUwUs0`rHPeX1#xHOkFjxX7Nd?v)P|!SWjO$8)n$dW_WSd@ylo@#AqkPX4cJo z==XA*bve$u+-SXCYW)F&M%T&tMON~`70f@>rzd;8Z}<6D@7DssX9};T-}qMH^+G1h zIE%yA;TC4#v4P6R2db8HdmiZKkmN*tfkVdSly=N|s{=czL+>IHGZ#`jXULpZWL5M$8mcHAB%7qfBZW?TC|oSU2Q{_{Z_Tf}#kj;Y~R z|7GKx9e?+j?9IBk`QY-oGwLa$U3-|X35q6HB1jCsjAFw^vDuc8|weGWcG+BS)7b@7Fg5j8;vJR!wcZ zm^f<|yqF#@_R!*R6qsad(#7qNKw{X!AW8acPgZnR?V zZeNA`&A!r#1Jtl<#CE@W{^RboL|;bhB1h{Ymj=s>7R`(n&0KGO&hYA?wxDGCF!Y;@}cCI9fKe*6=}F@9i=SV+95K3O|^G! z%Q&_>L*!s?cE|NS8P*Oz_gFm5$BvLqmpss132}KQh9rb`ecJhohH)kYe`F>$@a_o) z`Z{AiuwnqjyBFXz^VD|`IO)H?I zEj>pC>}=H7u~DPci;(jt%7}ZQ`=fd$-;f%2ckyk{Pno}O$*4WmZs&2!NE>!4dotuE zH*Iwj+Fmd@DPS@K_x7$q@F7~Y555I)>@BjJ#eEK+MPwm0SG2x2tAiDeT z<>OsTft!-8cK6U0=G>3zSbj{$@~1`kw+sf4J~uyK^FAzcvt+@g@ldkafBq|!;{X2m zk6}D}5z+7qfyH}$2HxY}H#0y#{IY-X-eS99(aF6%s&Ss=wv&7O{&K!8Xjxj1YovNy z(;1$yZP77jPhDWmqLX_e!D5eW_+^S$+cwad^t*TLTQ+2hcHWJhYu5!1jK0v{J^J_K zT~A#D*Ue2N<; zibLI}J@=bxu}Ze@HTldf9r#RjVD|ak>>r^JIa(<_S}8r4{mG2!(TwTQjOob*+pSqN zqZ=`!8!=<<_PVUw@eHlk>q}+%7#;F4Ivg#tSz2a3x6F&3;)SKxqovoQrPmV=kB78~ zJ+Cz6l!^Wn5p%F;TM={D+FEyDYu!H4F^*Y{__rO|73Q%`t3Qt=j|&)w=5eRSVerL{ zdbS&m9hP1sbgboi#f!15zqY6tbz(=2rc(*><_c`Qb0}t_uqA!dZe<$+9zOme=or&I z?)Z!v)o{r>%;ji$^hhZI@&eRMg)bOt!Qb^zZ^5OHte{bg!XT|T$!^3%{U{S1@ z;O_%M)-UMsa9MTV4_lT~>vC!+*Di0&51;@2<3qn-_g;?&slE?%?{fLM?P0hnhFlW1 z1LQbAacvgcF3H^n!j0jr^5Hs2kvjhuv^!|4A{&wlg-ROGV=z85w?%ra5&yN7aj{wB4 z0=F~BIinmputPF1SDChs)=bw~34T5=Ro+Zn&g$-AS!%IEAKrib__tqvnyXu1TbqBJ z0F}SrG(L#h5P#415ahJjCC+R8v$e39F8JOBcl>_(fWq|s1X>#> z6nnS&dkUndJScl}s&|!~&wQCKeEey)_PXf)rxMa%Lwrwv4Li>tf4Zx0W=zK4qyvpc zf3#WcJD-dF@XP!6=f|Vfeb}zG9YMlrt!nCxa2dQiMT%i!_e&TzFTnG zLkK^8`83$`Dbt~?pdS}I@BI8YU3I*5-h5p15aX6NYo{G|mqj;hWEa?|MmDMgHZC&O zMoew1#o{9bS zz{Q&6f(aK^Ar-ZuM!u=qyJt_2(TVbM1MVn}y1_HItM(Lzgg@(=TVQrC3kWN);xH2j7Bufgy3Q!Y8 zGDiGhx7^=yw^KWMmaVbYh-AH#K1G?Gi{9{LOX8er^TXQASyo)~BAAMKag}TQUbs@M zFq3Ikg>1Fetq|+lMeCHbr;E3pWuf-lM^(jLhVYe(pXm(T~Nb#^s5ZwimOSc}es zjZ|A4)-Jy5w1j|Jrn!?Qnj~D3N(t{tTBJOz4OV$ql60&TrmQl>$iSFk+JW=3)mDeK z0ctSD#Ef;Y5gao>YVUk7!bxA7Y0-zZ4ce`S8B?{f=yNTg!)i$hJ>k7=bKJI8CC988 zNB>3gB@~M>u zE*7#O(w~%a(bbw%wJO8@yW)zFUL_{AHcoU}c!vp6Fld-lkxYybEytzK){5#?r^Sk? zIl<~g=&=sbK`_CdMD~u=Hk*o_B#cmiW#P7l?06{7F(Xxk)yP6NX;u6L4}#gvkO!NT zkdiy^BFm_04Mfv*S{S0wP;Ut-kIvg-qlfZWUR(Nn6k0 zfJNa6U5iN>!-ZiAW{8jhyVd?yyIXBCBuTB^PqL_mMl^W)T zl#2r{N$1HR3JIrB93v=}q_<|0WoO`Ip~YD#qqB4o9-?xZ_*^UTfS{)030!X|rdU9(Fvzk^DM3C&;<{*SIrl*T*uc?azKa{i_>y)6 zl5I+q6*v(t5xs+MWtSm9CW}(#WgLdCImu+KKs7p4m#xA?h7bs58mTYiFr}e0RcY{| zR?7jRbt)?5WFxR|L)S(S?tr@mI?`Zj**QFhYTQ;A$wnBRvYOMRm%+ z)Y4X1%>)sF%{0Ll4oD@7fgz{lu8W(_A{OBDLZS?5VIS6&;R*aYF(? zLd|rlrRm_AD zruc*j5W<(@9l{%jm_q?2nNG_@4g=?+fr0V@n1Vz$TTP<^!`aL8OB!D?e2WVTh=3uO zg6mciNRlA4PQw^6I+9l(19_LioQBOoADzm+n%Zg6rwfG#5>QGb(kajt>x`;!Z6vgVaJ10~ZE6a|tD*;fMX6jR(+Lj~0*7U>9Pew1*1}a%DSvC+t+D&I z)R;qC3a0@JT5?L{-m-x#C(pRIvS<#w-8J%gw867VkSSKcX!s&VIF`fKO1Rm~a_0d| zYASf>cu6(u90)8K&m|&N*v)|l2}Ujo8LWn9Mr?o(k|By>h$#x90`e!8odEtkK!leW za>;#$1bO8VC02!>(4s^RO=Mgu07C#x*MMKO@QaAW3+8E@XD=b(=qVyqOc25^7&s>t ze0RxcA`CKPJ%pw}USL}k+(e0F&oe|`z}XJ-EJKFC=mJY@v!>u01Ev}_duq4SdPzG{ zVniSUu4QdIs->355fa4c%IPf+9p-B}J7CF>Z`BZ59p>_65kBbkf4tN6e%LQ=p5k0-G2G zeJQzykP%IlP79q1imW*qX~+-s4hB5{k-?1oZj_E;P z0M;U{86cQ&5|dsEp19b&3~1pwz@ufRu>ktWK%)pa9OJgr3W!NDxiCerP4Isl!p3U$z<}@( z+6?`21S2cvM8VJUqzM;7qhX0t0e3pBEP#v<{J}iYq7@h?3IaLUcucn_<>mRsa|CWz zI>7T+X~@IDXeL^fV1sOfRs?!;09Qs>h%lmYz#AY(COD>7Hk=Py5poA3PBNn?*e(K? z-Te#LIx7O|0QfqH5{;M~b*8o@oKL=PKj$zOe61;n4z||0T-Zk=hv_TK}$-t3v zm?Xp`%##s{uuML($T|-Ym_`lF!mPk}rVJ-a(T{QrsMNOjmw4a+3n8i*PDFyA6$}>y zF@jA6vPnD;Cq&E^QveAs-YS?x?@4eVFW$o8H|qooYz)~DrBsEN1B{NqFjnM*(9fXu zps&d?2DpNDA-oLjTW}pgA$$Q7#rA%gD4@_7Q3Xv=6=V@mwLNbN+nxFM9@G62!L;WuIn zAaUaeGDd2{sT0h2f<8lvXuaA2&Oj}>aTb14)*1&|6iUG56(AhJF+J5Gg4Yc83884R zotA{R0AO_)GQ$E~upJ-$Kv)6u5*>^jVk?&64&V=%S5{E$A81CMIgum? zfTSdumk50jt8@4@i#P-V(xO1nLWcxG9*TY-TN3gM@JH(b2#1qskp*ah$-rqaJPe@} zT6DCc33HKQkRX$`(?UcSIk*9DiH6at_ln`lM&cvu01Dh1dQc-UFE5}2_JRLlo{35ReE z5U>uLB|We(N9YG1$Be?LRa+lXs?$ofAh-!x3Wa!EWg9G%9B2e~ zBSUmME#o)>YlV2A0*xTX6R>6$I6p`X(KkEo23rcu>+HTQ1?Jt_Qo{O}SRD~KdxYX1 zd{aKbcUo9$t-3}&k2b(1Kpw4U(!@#%{7rHNK^CN`hy!8u^*S`mm~7GThUP%;K14K33nQtPxZ!LATC z^N6_;lmY=PED>T;Ba#mTEn2q%4mG7BypaKRB3O!609uLN1Fb|WTL@*UMU%@gBmnnd-l}Ds#NMy;9X;?+p=l5i@sEDz_Q3PQy(A-oY zI;$f|JRr_Mt0rhh29S**!-z+2BWGX-ZTMyGU!Gr38i*KzC&Y{36J%9-fIZ+#j3~9$ z5zvxQZHNUt5E|jI>jqJ%P{3iZxkc7ai%Vc@1g#wIK@~*%0lzb-6QUFYVBKk%K%t+` zfSCf*gqQ|_B1b3yKF82j*FlTSlNSgtXvqp514fl2%HWs;fYoMwK>F7ETkmeYz4hkS z>szmGy}b3})*tWi(WXm*;lxzJD8LIiU_D-R#?+z#)%EcigcXbwVi4%1fDR!luh0XC z9NA>}aXYAlB0pYf85q73wh$b577!ByL-;kQ1at*Kvx6jf=qTsWi$I%*j$kZenSoY> zfrc771F>O1+#GZ;x3K?QmIhgAiV;@xjL3$gL5s)>{y+dGC?gRg^U!HkiTDNm!Q8-Y zJwpxKhfLh@M8Gs2>Ia28Q&BZNa2{wBG9iWj^1E2#sEWvehWYPBx z=i_+?`a%e)$fYq>qpyGgj5h5vOcMSAeG0Zx0N^gIkrRLe zKxK9aEP*W@oCYK85uQxXSa+>on;MS~#Gb}iy|coPeok+X~qXo47p`49v+NpKZH zR1m1B%z&^Evz0IsbLgmu8M6-XSCsJ8hLi(DFk`|R9sn^zQ6~qyF9NnGAovB2j2cjs zk$bHJu^b>}0Z^hS3=BarIt2O0P!(FKx)ZD1W9~3P23-_FXYZ2n@aWE<`Q%1o6(AZY zIM60YApoh-b~2m;ufTY8VlW|;!lGf7WN--k07rm?;RX=DSseyq0HS1HU8c`w!QC6c z9t91cr9ug`(TO2S36L&YjHM)xAPgo*P|k-^un>BjP3>T_U^Eos8cY!|y7n$xP2WX{ z(Y^-H0%x?gt#wWwa#c(rNprOD2z?uQW-UTUi6NCxiM5E=E$7KNLBOT0wt$#65Fbn~ zyawF8PK8!a&{xpXh%`oG3S0)LR$TLHAb|mD79pP!oMzDv!$en$RM3B>xulSnX_`s| zl87vOc)^)?mQ7WRR$Y|>$dhEM9elf{l|=--R>ZEE&mhdXHY~7|$X?UJC<9SQVWCCF z#MCf;ji4hV$l#J808>Csg$Lju#w@(1@0J0Q1^tI?#A*?jz>6XFh15nytH+{_#3C#v zR1kmyffj*w0apsy#(y9lWe~uMKEYc;>roRf973;HW-UX@^tFQ~Gqmpq1MZ?x4oD6` zpp?#WM+?2K2|b9x5x5!?tS4M4d2OeHgh7YoB1SK4G$#xJq*Sz#r%mAi8*q`CASXy7 z{(J>QQvjnK*j`Aq39#4DG)D0OF$E~E0L@v4NC)WrkwlxI zXbBmhh!&O**urH(wt>qSz&-T34Md)36`nS|7zIg)_$`o&BY{BZ%YC1GdCJCC3Ne|i z2z{i2UcvPNk!6sB#UF@e+EhszFA;tLLvjnirND$1Fsjmt!3lG4LNEchN*Q+uJP_Z( zP`X6GVjxEA!+`fNS|O1iP}&B#J|c_YpzW@J7`L7)5+#kG7}G_99Yt19c-m&k1F;J5 z1FHu|jA+P65hG?RAzTBVNQ04;Czw?exP}jgVI=$nR}Kut3ZiXT7&8!qYYx#+(wZp< zcB+Tc0xoOPT$ma)3^PL-EP_R-5Jp-7akbV8Hi|^c_<@)efa4B201X6KhMk5nj1E@qGU#!p)j{({!yFuF$QA9P(@1|l;8rFrwr|kmk33QS*CHAwD%YZ6$9$QRaSsK z4A8c%PE+GRETEJk_h@Mm9Z|GV8ZOV0??lu-5YvcyfRij`4gh>)*udf>6AoBR!{at$ z>N$oLZY(P};HVJmS5IRP8h*?sXt!ybiqOnw5Qd-ju)jb;2z#v5C4z?v7KQRV5h)Dg z2ZXm7mYDnCxu+Cd?qQKNg}PqXVf=-BVzrn%6%lC&m~F%;Q56AKZ`$@a5o4$o44fk( zb+khZCbZW<8Gb-6qXkehBA7rUWFU(tzYDMp;9-(3NsX!zXlDih4KY+kToY(J)B`0D4Dh&ekAc3xc-WIU+n!LWX6Qh`w^x?iI|5 z!`LZ_M>|KWOj;n2K%khJgSqP)Z5PrLD=kz5OM8sQdxRk+!sSFu`K$ncEjjK&dSWDt z1KpBv)rKq)VrE@nL=c16Aso~vde118j*__&f&xhyXMpph1+u4CYefH!_76jVk4BV} zD*RL>Zyu(Syi+a!E%OXdc?>Wj>-cu#H|ue z-6TK^2&{n(ivs?{Qert`nNCb8-K<#l73eM-N84tIC#>YOwL21ntkDWAqytqof(bz> zs4D0RD{UIA1hJf0K-g#j&NHGzSTowv0YE7Z2so&L7;;Fl2yYT)U}X!isrcVuQTlJ-!*7fEt~z}Tu_Rff*<>IPy6-oS88q8Sp0 zp)e*0l`8Opb*8yovH%E-V2%OMAT)^cN&$GYHk&N0^+68Afb=n&aEY`Hh-g6?N$D|# zc<#Gsk<56?ZG{1dA;LnySRm}D1Xxy>*LIv{&fy9vZ~^h2j4YbU~Gjpw-*f$O%vlTB{t~YJl5? zpN(GHA|ni3>Dj$ROeI>X2a?A;QUMNp|&^^1S~pC3Rout!W2#? zcLwXzq}R3#L7D`WC160Hj89G>c<4?Ms00=Z@tFZ~AC2IOWLYw0xFX=e#AR4iv?9lz zY3&o3<_LYFe}D)G5~0b0AtLBH4(#MCM_dN;gxDG26X7(bQy_NE87@o=#H64-0dmZo z^Z{lRCWt8sOb{FoJ=^}2V6_n9O6ZgV4xl}-=z%_>i6ZF1l+pHts0h|WHnj55a3RbT z%)PB1VmS=c6k0DaPC|}+0Qw1#3q}$u2~Wg<7>pJoK}!P+62T4!#-z1nNSgvK4X?m6 z(heYsP+71XaXH{zRtj*Ja{>;&>4 z3yh9EL5L*@zV;)}5=7NQff26=f+EhTS_x0p2%9YjIfF?>AWuFdDOS;F;qV*4biq~_ z@eT{!v!F0y&Va^XrQtj?nSez3_Z*@Q%QR@_GYDtQ8Nv@CD`6r9I}AhWBCQ<2{|+7t zG6T`lr9x8RDiT9913jYTYKU9NEyWz;hd2R?2}Cxqg*FySiJ|je+9K! z031{nF=9pF0_mmQcEo9&7>DFRr5!DYz?f7R5|!YxC_7uFVZ91%I-3dOcmcG>WTL%G zIAMftA`{piWF{kq0O&_tq@4}4$_?X=P!1)57VAh1AVL&cPlOu+(l)eiuW3o9Ab4my zJ1=fdK#aGuECpS3lu&~}kTQx8{qT15kJE%<#xNl#PJ+dtH(*wxker!938_9XG}g}d zahhnFX)aFQFxqL!l#LZRz%DJj02fA$fYP==MNWkgiUX!3fH({H!C{%9f^-&06^t&G zMPZ-@OB+?*g0Gp`Vn}Oj%d1wRZ4hxff-@FpK!4zEHo#%r19;FzGyo=?jONWyo2hW* z@QAeZ0-+OvQbvF);fw$RT?E!#6o&9dS`-BkqqHIKBh(^e!it2;?(2Fpj^LRE4nP^$ zRC!DNq<H;hpZhnOAUxpqYjFHWZ@+szA(rq|*et zrxq|62Byv` zU=nR2+kwy=@k@e5%L?cfU818TZQ!&jNgMXG`GRcR1R!)U>Ldhc0e1rFH5nP*mp6DEtQm?=sOqZy;LE}>2cM|??&a&o}NLh1^) zYv zR}Y`fIW79;AcBHy_a#FmHr2R;zXc<$qcgvS0hQAVe>>Y(Tnih_rV>1lp|a1KLgk(@g{btL zDMYoWPa!JV2(!@6m2%isMEC{%2I!(%z-!sOGCKjEXgc~(6($fYro+axQQ{;pn&@Z& zm`JpAn1TQ{#auBTPD(oZCz**Y)KVwRGjvL5W+}ZDXvreVq8vF-IdM&5%n5)adD;>& z3~nq`$QJ^7_GG+$T;nV$VS6WM+9sJQU=k|eQ$45NfiVlR87OW zR0SoW z6F;b8Ve~EdWyB&WP zX+R4Y8?68=DA7DsndtOKLG;F~vAx&V@sc)7gaStq0xCcQ5dpF(la&%XY>P*(6O)iA zS>H>*XVf%-RwrP<1#l^MLA9Jma-&y}%7`w2KC1)FXS7V?eX6Mf#TIUB-$-(F*b&7Y zxaQD92eM9GMV=BW0c;Z;<}?WKD+Z4_my8ZFg?6e)i06|}bnS(KEJ8#*yn`|kkdDy~ z8;o2=?B;26miGoc8ydKdxIv8Uw1w4A5E=tFgiyl+OIxPk*jhd%ffSGyV(7c4AKD+F z9R_)IQ?wy&h-ygaJ1v|5idE~ig~2N1252144L{FsNLE1UOgDXKg3Yi?bnKc510+Xz zBW+BkkBLzx5~X|+>%MM$fsSJUo+>2}Rnu+?ZAel+3LVvOEm@QB-3vFHxlRQxNkyQG zOlJnjXPAg6O;#B6)~tH*X6d+`(uEerXvNUb-eNXP26*j?po*Gh{KcC^P%V`)5c~*? zE-2QIkuf^|lcH;uN-&Kdg&&C@@$y}OuLf8rte~vqFz^ZDhR6!GMD{dIghsF0h0IjU zJ~@rh6xKQb?B?PMZQubhHG?LYebp||)+_)=@`VnlYVSlc(Bnv7Gu*v;XC%{fU`o;%QNR}FG9^HxXA)6TWeS}^<3jue$jv@p6(PpR%l-j`yM}h1RxwV97Nvo5N(Kbcqw1aK| zmUVS-y?~5C3fofSrGx>Gbae+%bb;E0nzf{zb6LsdT{x-D3jV zFM;O?LAJx!k~Xs`_@+aYltb>|bOquNKtXt@nETyc(wrRKhX5A={6mKYG4U~$5DF#l z0m<8OJpgf}pd}U{)}*Vk2supx)s#F!Q_7H)wCUWax)U6L2)dwYN_uYR9WV-t{wW)| z=M<9ZQ$*FDg4Z%|a3u>7yb272tu#S(i{?i>q!n@Shjh)@|=B4*B|a4V{u zNy_x0jFM0_=wXa1AzGxH!+MxZRB1!7h$2FjK!Bc7<8#E{nHS1!Sj7yZL;=_>x&olZk9!p{4wD#12m!GbF!M^1P|}eBT1W3!$=Thi2&a;T zWK>K01hUWxOo*b1-lE4+wD4%JqGu9AH%TKL;B=W7vjAR*(-I=ie(Ynu9J)sWkg)iK z$!?i#fd|i%HFT!SHASIr8-9^QfP>{eQ^LGalv2oiF1~sQKBcZT)zS7$LSrx*WHiWV zI`|4Qn#w?O6zrXHnCDFEv{6*LERhaB8c{cIaqizko_;4oceV-a^kvmv|2 zP{tlzmsfj6yC5U<1d_P`)F#?Wf)qO|WrUCOmeH+f5bQ?MuqTl;G71Ab5@=BhqXu}3 zDp6)DY#HxI6k$FE%%?D7cRECJ?es;|bOV|qLqt3AB_J*gvY!t#W=q28i3DZnDVT5t zsAM$sHRy=QAsWi=sG<)H9j29nVVz4D+8(F0eE1S-p04=OE|_ZQCPvI z=J!@H4oHa#Q%5&ErED-MhOR6OwFY23I%27|s~87_$gk3&APqa8A`E2IDN{6GH06!< zV?pe?KCxn06tq6vmg+dubV`m+(?N|{9ab>}T(7_|1+7@YJtK(64`$60If$mkGg=pd zn-&&=U{T&)#}>K|L^C?n0JNZ#@eIxZ8cW-qly*a-dF3uJ$eN>b%8*b5_8G2^PSj-v z|CnuCfffW(Ua<>>5|C*pG*h-a;$C2ogc;4*qboh)cKUU@V4Xv(L4L|7QsDwohv${h z9=iLnb-})B7h*2ZTjeW25&$k8XM@tg@Iea;Ye(z^kl|}~L1#K=t~6i;w35y&DnS{h z+`{ySj`uvDjPYjKH_^FGWiwy}g(|GV0|WKJ#s|7$wfp~r$^e26KqE*)!5^0xatVN_ zo{sbCWG`11#3)ECIxc_%HJ}o0ju=y%wXvU56^GT~D-)gFqiaWC^cbKX-AWLvp)~;0 zcj1pJd)N^KM8Ly3qtBZ0$h@QDOg6%Kv~)FbT-}OF$M%_zw8IqWc!~-@Fa*!ja6XD@ z{3!fL{0RKeGj^VO1P_SG@PnyG;2;n<2(Ql5?~gf$nF3Tt0E3Z7fGm+HSGY2uV4#P7 zbVIye^9~pnOs|fPCr3J*KzoMp?TYQN4`$X9C~p>jklho~8WbfkMWbAp-3bUQ}j?UqF; z#H%$AGhqM(L<%Y?%BPAE@sutIV*mu(RhqBaytkkrwRP1iPPZvZT7aWVJ4~py-FAZ@ z>eZT$bU+>&FA?#0x>1H=Z#o1F$&0*SE6nWcDIP5h#17xdv_t%&qI*CM#ZL|VAXs?4 zxi?C3%yqOHj)&8l77R6Tw@ZTC*v}r)4?~mw)w*F3ulph?SfXs@z>AL=p=wOJAn5L= z7SSw!Ju!@lQVR?Wfut*%>8`CJ>HKYl_wO0j;1qsd&k9-?z5 zlQ1ySx!;&gON+1E4WG9ua+mvZSFKl2$igxhu&c+Oh_2F=cNw z9fPKY*D4d`NV_<7#s4PVVT30G-QHF`Pjn|op;Lzr##ALAI%oLnbA{VPPQoC%j+~Na zymOi-3g4aAX6VLm!4W6uE~^5+p(@?W>LZ=Y33LxPqDfw+uKYF=98Nl(W=srh~t2OtaYL?=`{n( z5cn`*6Cz?>;GBpw#)qgFKOl>7ON?7;kkuedgV9t5WEILOlv60DP)?y7nvn|S6w1+h zWsZokjWKkk2|ONby`=1mmP+ONd04}y6{gL`REd;y?|87%21Hm%%K+yAU+!v88@g1z zT^M5N7_0F#DKKz!uoIKum2$4%&rc-KS#uod(YZ1mIqgM-zy;?;$dHPXz>WnIPh=c; zVZaLmUKsEK;ip9SiIDnH@(Eps5KtN&TtK3u^$0~6-4;ZrM;ecudp3E5`Y8t04n{NG zt{0)i2|B~4t7td4Kvthko-R3}`<8_&43T@v*29qsPq)Fv@7Jj ztTD0z`Jr@_tozvz{`}t47mB#o=r7MfL_xVHD#9+(0sYu*!}FO#K09gPemZ_q1br}x z?j1H{6KM6Z^f+>rfp4VqRhb-o45Bvy()RgU%spMs=IBFN zlCH?Yq@!q|n=7Mpw%H)-zp4qRxTd@Eg!FV)iLSS|jv{VB7lXI&ZXnLUPv41tHnRdy z7=jf6+Bw3P(v3wh-4;SXw;{G>#8)>{qY@TIlrC4*(81$|ik1gcbV*V|0ZC2LwY9meJG=eL7B2)TlzX36Gfav9~dg_CO5hf9MH%K zphYG7cj6fMo7%QjqI34Bn`pZmKHq}{ZI8vADsi1|`UD;@v?z(eYD-ttx=dMN%iZ7; zU1MByF4ee-Zt^TW0%pZiZQlfHZj7=whT_08j0vOYAT_iRk*=njvYcmRGI^f|d8Q6n zXy}}Vp${+6VMqpUbITMh7WMnL{H!zdy(V~20WoF5x^oauj08DqTLNK+8{hSg;EOYz(UbV0v3=^0$kMJBZ zBi`-41Hp*&=0w>~bh#}<>=#s_yQMj$%_{*_QvDb%;ui#Dt$2=fS7d6pTyhfBc6V*& zE;D6wU*VYwM?9iqEr{-FsE!V)wM(pYbs-kkKSIQ&;*vhN;{r2u2ceGil^(jKKGGdF zte=fBQ(;Q3FLc`}uy%AM+CcZKA#elXkXoW8J5^CAfXYQjrhx0M4(;3%twtN;heI12 z-i|)JMc<%;gJo4&I^V|)9n5I?aq6V$^ksp((dtEvF&Sb5q!U4k?I-fhsTf7qePlrw zI7NbBmPLg41;RmN`DS?@LorTwYFeH-9TN2cYQhq2yjq=L?z3->3+@>|20t1<3O^D* z;#BBr{E7e+5}FyN0FqZE>8z>%u>DlrUPagPA`w0Dl01F;jr;(dBpn6?Fl_@ySi9S% zPR1DvK+fnU1uZGvLbMaHx~SUIL-r~ry4e$qNw$6Jsn#kiFSN5&gibadR(vu~{i!%$ z8r{MM2`eaQs^}06ePXTl<(>^sIqR&UJJCt~j0jMQC@IB<;$#2`@4ENht*B+BBbjK2 zrBIRrS}2|_EhpLcFZGlVaQzwOKy5kGRS}RAXcPgnZYsSuU0CNHBPhTyf zgZLqn@WVLxT>CfV5R>8uW96vMQJqtD41o*$@Kb_ItBBVzbuI)@vOwN+KUUVsv-Yt~ zd67W1bYC;zgC{RmDLUYs8N|Pc$s=zzi~EZt=-NS453q3<0DXA~11OHJ)rYj%zFT;S z0DZ40QGCL9v{}>r8+2iGsu6|{27vk?FApPAsxB~Upi2=F<>G1j0uqIqhUb?327`Tz zuoFLEsQ@VfQUas|NC~=lo8F_GU>BQ;na;yQi3EKgN$MCf7j&~9ea?rq95*HTi!@~w zoy3o_P##bKq>SFmcAqibN~PN8-6VUFrgFQK4Ui=!Oe1`uq3iq#-4kW#%YLmXRF$Yo zxr>xlWXQ?WCI66P_#66OPN0iNWINQY6k3$%nMBVdpd<$}W}3B+io$!rl1Ie60__2k z#a@MOK}W~v9(09{Q7#-^p#XD@Sp^(PbXo|Af!rGc1whkQ4K2`TiIh1hg#1vy1O#5; zoXPK!(}s^rbo)d5&LGT<()2GnsQk$Q-oUZKWpnx<1PibNghSDm5vJ)ckP3d#F)iEh zfxnbTtm|tEh7M#Hs}W5w3`Rl^8_?3Wj|HfYI;JVDCp)77PUv2f40r(5gRd+C*rt8L z&Cm}z1#k!q+=d_MhTB*(kQu^k`fybZEd>IRH^5jM5700C7=FYlc%dY%2;+gF&ys5J z7>-Z{y6&*8<-q=;C|UrBR)#+2gbo^w4kD1GPechtw@kyy(&xXFghoX=@zSb-4OaC| zB5qX(kCnw7F-}+C17|@F2mlD!_o~T@A#`jf>*;b|7U=+o5%et}2ywC@ak|^Z&=+ai z7T2l7cI6X5Mxomo=u}PR)keBmSq0ucPIqz{A!wjoIZIz@6f&bhIAcSHHkoM#_k_Qr zu88mG#!pX|DZ{!`GQSXX=c!yFSflCwbEPP5i&ip7PN8r_qZ3}{v_i1-y<4C^>na17 zGl=Zl@c_E7$kMl=R|uBwI|>-476M2MSTcdB&N}+2o;A#_ASuF%NS71QMQ|9Rkk!!_ z&B%KO4XtVXgv~T62fDnN>^*=_wSg2wlj&>U-KA684p3RzN>?K}OojkRqYsc!a%hqr z8_}h&65OFHs|br?@Ie8RGKi<|-(LY1r0cDV1VBeybbgV(nhO~ti%*}zUGbA?1j2ML zECgJ64HplCQ4@Uy&4zwS#GIcplYT-o6L-` zrhxt?I`XR>I<8mz%#l9vh)A+(@@-Wh%yRVk7tbYqnyT>=hKU0Lxmc-Px|1)_kuJDa z)$X8c{7kY2<`|huAWr&-2ISjfvJ6HTTWUA3CIU*q+m<2Sp+{FY(2f-XBY_7U2cH1& zDqUYicS&bjY*)Z7^npW|Cawfu^OJ7X@pL1vr_HcLLZRtuY>Mw}jw^oBDJdWx4O9?; zNMU2SGjxBVEWlEIgJ8x_x?7NmA|Y-R#Bm2WP8Wp)s}Y(fzT#)1fK`hMk(Nb8`ot+> zN<^55R{>0$x3z}8x62{|SeED}tRU%o4}r%bY=Im;t8hGNXk&7BfITX86EY8&;?7O zqG~DG$`5no>36D1-y9&bWdsRHO9x|^tab;luchDQ22+C{)m!tjZ85d`&%m=n-|))S z(`TWgW{MUWS?E5|n@u%d3=lcpZttsXpI{X9eI#I9`nqQSt}J5kbu|YA;So~OK>_;6 zpV8USRRD0IhIvO8LNofIDv&$xnhOQX1%iF;7>pmP8rT?saBb=8x>8)LCKg--;t~)J z$enY>3;NItU582ch%+d2XjLqJ41P3zdPg>&Dd5aj>s>I|}F1z{jM|Ep0TBFhof{V(C&8+-Hz_UQpiR7fgF zsxEg1V&gI7i7XSpq+1$!di{)5r?5*RDe*a3#*hlRC@qSUp9YDR%`s9~stn{g)Z@Aj zKWZ}n9vDS>5~N9?&hXBl?H6#MTA;gjSpjeEirImqT;TSVrLh`hPBCNSq1SwZ)q`Geeb~W4FJSBdV+R;Jz}Q|&?j8w-Rc*5-s1xBY zOk;lE&&M8%=l@Qv$^da%{j88SW-=4qQBF2T{yA$O*O;WFKlY%g^jZxX(nqL^-FV6? zrrcQZl)F{+5A&UYok7PO{>N}2cnHA{*(X(dB6_=c^{DG4a@&C+yq*2)2`n98>1Y_5 z+xfXfYyarAG`Y_S-W#2hiAeC*rCKF$WX}$+Hj-6Hkpo%v*AZ`;hFfz>+me5?W^ql( z{@|lf4=G3^&#o+)yT0E|DeFzT`%o2tp_vNJVYS1rD9BH}*ZI7DBMN*Ec;vpgxto~; zep~+;bP6kij2`4-wO#{r&$T4_Cc(*EJ6xNkX}dvwPZYn8?z*OMYX z@+1bM99*;KVvlkRmnt477qpuG$fo_*bYsF2hVTV0Ve)G++Q6Uf_^Yf)*}lOa-)-&8BZ&h$v!rdsjoKw: creusot_contracts::Default` is not (A, B, C, D) (A, B, C, D, E) (A, B, C, D, E, F) - and 22 others + and 23 others error: error above diff --git a/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr b/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr index 15b406d9be..129c6ceefd 100644 --- a/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr +++ b/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr @@ -40,7 +40,7 @@ error[E0277]: Cannot take the model of `S` [T] creusot_contracts::GhostBox creusot_contracts::Snapshot - and 32 others + and 40 others error[E0277]: Cannot take the model of `S` --> view_unimplemented.rs:11:25 @@ -58,7 +58,7 @@ error[E0277]: Cannot take the model of `S` [T] creusot_contracts::GhostBox creusot_contracts::Snapshot - and 32 others + and 40 others error: internal error: Cannot fetch THIR body diff --git a/creusot/tests/should_succeed/cc/collections.coma b/creusot/tests/should_succeed/cc/collections.coma new file mode 100644 index 0000000000..9878379745 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections.coma @@ -0,0 +1,1905 @@ +module M_collections__roundtrip_hashmap_into_iter [#"collections.rs" 15 0 15 87] + let%span scollections0 = "collections.rs" 26 15 26 48 + let%span scollections1 = "collections.rs" 27 14 27 65 + let%span scollections2 = "collections.rs" 28 20 28 43 + let%span scollections3 = "collections.rs" 29 20 29 60 + let%span scollections4 = "collections.rs" 31 20 31 93 + let%span scollections5 = "collections.rs" 14 10 14 24 + let%span siter6 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter7 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map8 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 123 20 123 54 + let%span shash_map9 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 107 12 116 29 + let%span sfmap10 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_map12 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 196 20 196 24 + let%span shash_map13 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 202 20 202 33 + let%span shash_map14 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 240 20 242 73 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 128 14 128 45 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 126 4 126 10 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 133 15 133 32 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 134 15 134 32 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 135 14 135 42 + let%span shash_map20 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 137 8 137 104 + let%span sresolve21 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel22 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap23 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap24 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap31 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap32 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'1 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'1 } + + predicate inv'0 (_1 : t_HashMap'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashMap'0 [inv'0 x] . inv'0 x = true + + predicate into_iter_pre'0 (self : t_HashMap'0) = + [%#shash_map12] true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'3 = + | C_None'3 + | C_Some'3 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'3; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_FMap'0 + + function view'0 (self : t_HashMap'0) : t_FMap'0 + + function view'2 (self : t_IntoIter'0) : t_FMap'0 + + predicate into_iter_post'0 (self : t_HashMap'0) (res : t_IntoIter'0) = + [%#shash_map13] view'0 self = view'2 res + + let rec into_iter'0 (self:t_HashMap'0) (return' (ret:t_IntoIter'0))= {[@expl:into_iter 'self' type invariant] inv'0 self} + {[@expl:into_iter requires] [%#siter6] into_iter_pre'0 self} + any [ return' (result:t_IntoIter'0)-> {[%#siter6] into_iter_post'0 self result} (! return' {result}) ] + + predicate inv'1 (_1 : t_IntoIter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IntoIter'0 [inv'1 x] . inv'1 x = true + + use prelude.prelude.Borrow + + type t_K'0 + + type t_V'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_IntoIter'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap24] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = + [%#sseq11] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 + + use map.Map + + function view'3 (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + axiom view'3_spec : forall self : t_FMap'0 . [%#sfmap32] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'3 m1 <> view'3 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = + [%#sfmap26] Map.get (view'3 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = + [%#sfmap10] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end + + type t_Option'2 = + | C_None'2 + | C_Some'1 (t_K'0, t_V'0) + + function get'1 (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'2 = + [%#sseq25] if 0 <= ix /\ ix < Seq.length self then C_Some'1 (Seq.get self ix) else C_None'2 + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) = + [%#shash_map9] len'0 (view'2 self) = Seq.length visited + len'0 (view'2 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'2 self) k = C_Some'0 v /\ get'0 (view'2 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'2 o) k = C_Some'0 v + -> get'0 (view'2 self) k = C_Some'0 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'0 (view'2 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'0 (view'2 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'1 visited i1 = C_Some'1 (k, v1) + /\ get'1 visited i2 = C_Some'1 (k, v2) -> i1 = i2) + + function produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_IntoIter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_IntoIter'0) : () + + = + [%#shash_map20] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq (t_K'0, t_V'0), b : t_IntoIter'0, bc : Seq.seq (t_K'0, t_V'0), c : t_IntoIter'0 . ([%#shash_map17] produces'0 a ab b) + -> ([%#shash_map18] produces'0 b bc c) -> ([%#shash_map19] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IntoIter'0) : () = + [%#shash_map16] () + + axiom produces_refl'0_spec : forall self : t_IntoIter'0 . [%#shash_map15] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + + predicate resolve'1 (self : borrowed (t_IntoIter'0)) = + [%#sresolve21] self.final = self.current + + function view'1 (self : borrowed (t_IntoIter'0)) : t_FMap'0 = + [%#smodel22] view'2 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'0 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap27] len'0 (empty'0 _1) = 0) + && ([%#sfmap28] view'3 (empty'0 _1) = Const.const (C_None'1)) + + function ext_eq'0 (self : t_FMap'0) (other : t_FMap'0) : bool = + [%#sfmap31] view'3 self = view'3 other + + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap29] ext_eq'0 self other -> self = other) + && ([%#sfmap30] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'0) : bool = + [%#sfmap23] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_IntoIter'0)) = + [%#shash_map8] resolve'1 self /\ is_empty'0 (view'1 self) + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, t_V'0)) (res : t_HashMap'0) = + [%#shash_map14] forall k : t_K'0, v : t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int . 0 <= i + /\ i < Seq.length prod + /\ Seq.get prod i = (k, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_IntoIter'0) (return' (ret:t_HashMap'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'0)-> {inv'0 result} + {[%#siter7] exists done' : borrowed (t_IntoIter'0), prod : Seq.seq (t_K'0, t_V'0) . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + function any'0 [#"collections.rs" 10 0 10 20] (_1 : ()) : Seq.seq (t_K'0, t_V'0) + + use prelude.prelude.Snapshot + + function any'1 [#"collections.rs" 10 0 10 20] (_1 : ()) : borrowed (t_IntoIter'0) + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_into_iter'0 (xs:t_HashMap'0) (return' (ret:t_HashMap'0))= (! bb0 + [ bb0 = bb1 + | bb1 = s0 [ s0 = into_iter'0 {xs} (fun (_ret':t_IntoIter'0) -> [ &it0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {it0} (fun (_ret':t_HashMap'0) -> [ &r <- _ret' ] s1) | s1 = bb3 ] + | bb3 = s0 [ s0 = [ &prod <- [%#scollections0] Snapshot.new (any'0 ()) ] s1 | s1 = bb4 ] + | bb4 = s0 [ s0 = [ &it1 <- [%#scollections1] Snapshot.new (any'1 ()) ] s1 | s1 = bb5 ] + | bb5 = s0 + [ s0 = {[@expl:assertion] [%#scollections2] completed'0 (Snapshot.inner it1)} s1 + | s1 = {[@expl:assertion] [%#scollections3] produces'0 it0 (Snapshot.inner prod) (Snapshot.inner it1).current} s2 + | s2 = bb6 ] + + | bb6 = s0 + [ s0 = {[@expl:assertion] [%#scollections4] forall k : t_K'0, v : t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> contains'0 (Snapshot.inner prod) (k, v)} + s1 + | s1 = bb7 ] + + | bb7 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb8 ] + | bb8 = bb9 + | bb9 = bb10 + | bb10 = return' {_0} ] + ) + [ & _0 : t_HashMap'0 = any_l () + | & xs : t_HashMap'0 = xs + | & it0 : t_IntoIter'0 = any_l () + | & r : t_HashMap'0 = any_l () + | & prod : Snapshot.snap_ty (Seq.seq (t_K'0, t_V'0)) = any_l () + | & it1 : Snapshot.snap_ty (borrowed (t_IntoIter'0)) = any_l () ] + + [ return' (result:t_HashMap'0)-> {[@expl:roundtrip_hashmap_into_iter ensures] [%#scollections5] view'0 result + = view'0 xs} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashmap_iter [#"collections.rs" 36 0 36 85] + let%span scollections0 = "collections.rs" 41 15 41 51 + let%span scollections1 = "collections.rs" 42 14 42 61 + let%span scollections2 = "collections.rs" 43 20 43 43 + let%span scollections3 = "collections.rs" 44 20 44 60 + let%span scollections4 = "collections.rs" 46 20 46 95 + let%span scollections5 = "collections.rs" 35 10 35 87 + let%span shash_map6 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 23 0 37 1 + let%span siter7 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map8 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 72 20 72 54 + let%span shash_map9 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 65 29 + let%span sfmap10 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel12 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span shash_map13 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 240 20 242 73 + let%span shash_map14 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 77 14 77 45 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 75 4 75 10 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 82 15 82 32 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 83 15 83 32 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 84 14 84 42 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 86 8 86 104 + let%span sresolve20 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel21 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap22 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap23 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap25 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap31 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'3 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashMap'1 = + { t_HashMap__base'1: t_HashMap'3 } + + predicate inv'0 (_1 : t_HashMap'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashMap'1 [inv'0 x] . inv'0 x = true + + type t_FMap'1 + + function view'4 (self : t_HashMap'1) : t_FMap'1 + + function view'1 (self : t_HashMap'1) : t_FMap'1 = + [%#smodel12] view'4 self + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + function view'2 (self : t_Iter'0) : t_FMap'1 + + let rec iter'0 (self:t_HashMap'1) (return' (ret:t_Iter'0))= {[@expl:iter 'self' type invariant] inv'0 self} + any [ return' (result:t_Iter'0)-> {[%#shash_map6] view'1 self = view'2 result} (! return' {result}) ] + + predicate inv'1 (_1 : t_Iter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Iter'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'2 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'2 } + + predicate inv'2 (_1 : t_HashMap'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashMap'0 [inv'2 x] . inv'2 x = true + + type t_K'0 + + type t_V'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_Iter'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'1) : int + + axiom len'0_spec : forall self : t_FMap'1 . [%#sfmap23] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = + [%#sseq11] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_Option'2 = + | C_None'0 + | C_Some'1 t_V'0 + + type t_Option'3 = + | C_None'3 + | C_Some'4 t_V'0 + + use map.Map + + function view'6 (self : t_FMap'1) : Map.map t_K'0 (t_Option'3) + + axiom view'6_spec : forall self : t_FMap'1 . [%#sfmap31] forall m1 : t_FMap'1, m2 : t_FMap'1 . m1 <> m2 + -> view'6 m1 <> view'6 m2 + + use map.Map + + function get_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_Option'3 = + [%#sfmap25] Map.get (view'6 self) k + + function get'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_Option'2 = + [%#sfmap10] match get_unsized'1 self k with + | C_None'3 -> C_None'0 + | C_Some'4 x -> C_Some'1 x + end + + type t_Option'4 = + | C_None'4 + | C_Some'2 (t_K'0, t_V'0) + + function get'2 (self : Seq.seq (t_K'0, t_V'0)) (ix : int) : t_Option'4 = + [%#sseq24] if 0 <= ix /\ ix < Seq.length self then C_Some'2 (Seq.get self ix) else C_None'4 + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) = + [%#shash_map9] len'0 (view'2 self) = Seq.length visited + len'0 (view'2 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'1 (view'2 self) k = C_Some'1 v /\ get'1 (view'2 o) k = C_None'0) + /\ (forall k : t_K'0, v : t_V'0 . get'1 (view'2 o) k = C_Some'1 v + -> get'1 (view'2 self) k = C_Some'1 v /\ not (exists v2 : t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : t_V'0 . get'1 (view'2 self) k = C_Some'1 v + -> contains'0 visited (k, v) \/ get'1 (view'2 o) k = C_Some'1 v) + /\ (forall k : t_K'0, v1 : t_V'0, v2 : t_V'0, i1 : int, i2 : int . get'2 visited i1 = C_Some'2 (k, v1) + /\ get'2 visited i2 = C_Some'2 (k, v2) -> i1 = i2) + + function produces_trans'0 (a : t_Iter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_Iter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_Iter'0) : () + + = + [%#shash_map19] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq (t_K'0, t_V'0), b : t_Iter'0, bc : Seq.seq (t_K'0, t_V'0), c : t_Iter'0 . ([%#shash_map16] produces'0 a ab b) + -> ([%#shash_map17] produces'0 b bc c) -> ([%#shash_map18] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Iter'0) : () = + [%#shash_map15] () + + axiom produces_refl'0_spec : forall self : t_Iter'0 . [%#shash_map14] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + + predicate resolve'1 (self : borrowed (t_Iter'0)) = + [%#sresolve20] self.final = self.current + + function view'3 (self : borrowed (t_Iter'0)) : t_FMap'1 = + [%#smodel21] view'2 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'1 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap26] len'0 (empty'0 _1) = 0) + && ([%#sfmap27] view'6 (empty'0 _1) = Const.const (C_None'3)) + + function ext_eq'0 (self : t_FMap'1) (other : t_FMap'1) : bool = + [%#sfmap30] view'6 self = view'6 other + + axiom ext_eq'0_spec : forall self : t_FMap'1, other : t_FMap'1 . ([%#sfmap28] ext_eq'0 self other -> self = other) + && ([%#sfmap29] (forall k : t_K'0 . get_unsized'1 self k = get_unsized'1 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'1) : bool = + [%#sfmap22] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_Iter'0)) = + [%#shash_map8] resolve'1 self /\ is_empty'0 (view'3 self) + + type t_FMap'0 + + function view'0 (self : t_HashMap'0) : t_FMap'0 + + type t_Option'0 = + | C_None'2 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'3 t_V'0 + + use map.Map + + function view'5 (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + axiom view'5_spec : forall self : t_FMap'0 . [%#sfmap31] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'5 m1 <> view'5 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = + [%#sfmap25] Map.get (view'5 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = + [%#sfmap10] match get_unsized'0 self k with + | C_None'1 -> C_None'2 + | C_Some'3 x -> C_Some'0 x + end + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, t_V'0)) (res : t_HashMap'0) = + [%#shash_map13] forall k : t_K'0, v : t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int . 0 <= i + /\ i < Seq.length prod + /\ Seq.get prod i = (k, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_Iter'0) (return' (ret:t_HashMap'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'0)-> {inv'2 result} + {[%#siter7] exists done' : borrowed (t_Iter'0), prod : Seq.seq (t_K'0, t_V'0) . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + function any'0 [#"collections.rs" 10 0 10 20] (_1 : ()) : Seq.seq (t_K'0, t_V'0) + + use prelude.prelude.Snapshot + + function any'1 [#"collections.rs" 10 0 10 20] (_1 : ()) : borrowed (t_Iter'0) + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_iter'0 (xs:t_HashMap'1) (return' (ret:t_HashMap'0))= (! bb0 + [ bb0 = s0 [ s0 = iter'0 {xs} (fun (_ret':t_Iter'0) -> [ &it0 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = collect'0 {it0} (fun (_ret':t_HashMap'0) -> [ &r <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = [ &prod <- [%#scollections0] Snapshot.new (any'0 ()) ] s1 | s1 = bb3 ] + | bb3 = s0 [ s0 = [ &it1 <- [%#scollections1] Snapshot.new (any'1 ()) ] s1 | s1 = bb4 ] + | bb4 = s0 + [ s0 = {[@expl:assertion] [%#scollections2] completed'0 (Snapshot.inner it1)} s1 + | s1 = {[@expl:assertion] [%#scollections3] produces'0 it0 (Snapshot.inner prod) (Snapshot.inner it1).current} s2 + | s2 = {[@expl:assertion] [%#scollections4] forall k : t_K'0, v : t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> contains'0 (Snapshot.inner prod) (k, v)} + s3 + | s3 = bb5 ] + + | bb5 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : t_HashMap'0 = any_l () + | & xs : t_HashMap'1 = xs + | & it0 : t_Iter'0 = any_l () + | & r : t_HashMap'0 = any_l () + | & prod : Snapshot.snap_ty (Seq.seq (t_K'0, t_V'0)) = any_l () + | & it1 : Snapshot.snap_ty (borrowed (t_Iter'0)) = any_l () ] + + [ return' (result:t_HashMap'0)-> {[@expl:roundtrip_hashmap_iter ensures] [%#scollections5] forall k : t_K'0, v : t_V'0 . (get'0 (view'0 result) k + = C_Some'0 v) + = (get'1 (view'1 xs) k = C_Some'1 v)} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashmap_iter_mut [#"collections.rs" 53 0 53 97] + let%span scollections0 = "collections.rs" 58 15 58 55 + let%span scollections1 = "collections.rs" 59 14 59 65 + let%span scollections2 = "collections.rs" 60 20 60 43 + let%span scollections3 = "collections.rs" 61 20 61 60 + let%span scollections4 = "collections.rs" 63 20 63 99 + let%span scollections5 = "collections.rs" 50 10 50 118 + let%span scollections6 = "collections.rs" 51 10 51 96 + let%span scollections7 = "collections.rs" 52 10 52 99 + let%span shash_map8 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 23 0 37 1 + let%span siter9 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map10 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 174 20 174 54 + let%span shash_map11 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 158 12 167 29 + let%span sfmap12 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel14 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap15 = "../../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap16 = "../../../../creusot-contracts/src/logic/fmap.rs" 228 8 228 24 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 230 20 232 99 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 240 20 242 73 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 179 14 179 45 + let%span shash_map20 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 177 4 177 10 + let%span shash_map21 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 184 15 184 32 + let%span shash_map22 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 185 15 185 32 + let%span shash_map23 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 186 14 186 42 + let%span shash_map24 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 188 8 188 104 + let%span sresolve25 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq28 = "../../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 116 9 116 31 + let%span sfmap31 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap32 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap33 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap34 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap35 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap36 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap37 = "../../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 + let%span sutil38 = "../../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil39 = "../../../../creusot-contracts/src/util.rs" 56 10 56 28 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'2 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'2 } + + predicate inv'0 (_1 : borrowed (t_HashMap'0)) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_HashMap'0) [inv'0 x] . inv'0 x = true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } + + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } + + type t_K'0 + + type t_FMap'1 + + function view'2 (self : t_HashMap'0) : t_FMap'1 + + type t_V'0 + + type t_Option'3 = + | C_None'2 + | C_Some'4 t_V'0 + + use map.Map + + function view'6 (self : t_FMap'1) : Map.map t_K'0 (t_Option'3) + + axiom view'6_spec : forall self : t_FMap'1 . [%#sfmap36] forall m1 : t_FMap'1, m2 : t_FMap'1 . m1 <> m2 + -> view'6 m1 <> view'6 m2 + + use map.Map + + function get_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_Option'3 = + [%#sfmap29] Map.get (view'6 self) k + + function contains'2 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : bool = + [%#sfmap15] get_unsized'1 self k <> C_None'2 + + type t_FMap'2 + + function view'4 (self : t_IterMut'0) : t_FMap'2 + + type t_Option'1 = + | C_None'1 + | C_Some'3 (borrowed t_V'0) + + use map.Map + + function view'7 (self : t_FMap'2) : Map.map t_K'0 (t_Option'1) + + axiom view'7_spec : forall self : t_FMap'2 . [%#sfmap36] forall m1 : t_FMap'2, m2 : t_FMap'2 . m1 <> m2 + -> view'7 m1 <> view'7 m2 + + use map.Map + + function get_unsized'2 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : t_Option'1 = + [%#sfmap29] Map.get (view'7 self) k + + function contains'3 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : bool = + [%#sfmap15] get_unsized'2 self k <> C_None'1 + + function unwrap'1 (op : t_Option'3) : t_V'0 + + axiom unwrap'1_spec : forall op : t_Option'3 . ([%#sutil38] op <> C_None'2) + -> ([%#sutil39] C_Some'4 (unwrap'1 op) = op) + + function lookup_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_V'0 = + [%#sfmap37] unwrap'1 (get_unsized'1 self k) + + function lookup'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_V'0 = + [%#sfmap30] lookup_unsized'1 self k + + function index_logic'1 [@inline:trivial] (self : t_FMap'1) (key : t_K'0) : t_V'0 = + [%#sfmap16] lookup'1 self key + + function unwrap'0 (op : t_Option'1) : borrowed t_V'0 + + axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil38] op <> C_None'1) + -> ([%#sutil39] C_Some'3 (unwrap'0 op) = op) + + function lookup_unsized'2 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : borrowed t_V'0 = + [%#sfmap37] unwrap'0 (get_unsized'2 self k) + + function lookup'2 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : borrowed t_V'0 = + [%#sfmap30] lookup_unsized'2 self k + + function index_logic'2 [@inline:trivial] (self : t_FMap'2) (key : t_K'0) : borrowed t_V'0 = + [%#sfmap16] lookup'2 self key + + predicate into_iter_post'0 (self : borrowed (t_HashMap'0)) (res : t_IterMut'0) = + [%#shash_map17] forall k : t_K'0 . contains'2 (view'2 self.current) k = contains'2 (view'2 self.final) k + /\ (forall k : t_K'0 . contains'2 (view'2 self.current) k = contains'3 (view'4 res) k) + /\ (forall k : t_K'0 . contains'2 (view'2 self.current) k + -> index_logic'1 (view'2 self.current) k = (index_logic'2 (view'4 res) k).current + /\ index_logic'1 (view'2 self.final) k = (index_logic'2 (view'4 res) k).final) + + let rec iter_mut'0 (self:borrowed (t_HashMap'0)) (return' (ret:t_IterMut'0))= {[@expl:iter_mut 'self' type invariant] inv'0 self} + any [ return' (result:t_IterMut'0)-> {[%#shash_map8] into_iter_post'0 self result} (! return' {result}) ] + + predicate inv'1 (_1 : t_IterMut'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IterMut'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'3 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashMap'1 = + { t_HashMap__base'1: t_HashMap'3 } + + predicate inv'2 (_1 : t_HashMap'1) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashMap'1 [inv'2 x] . inv'2 x = true + + use seq.Seq + + predicate resolve'1 (_1 : t_IterMut'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'2) : int + + axiom len'0_spec : forall self : t_FMap'2 . [%#sfmap27] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) = + [%#sseq13] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) + + function get'2 [@inline:trivial] (self : t_FMap'2) (k : t_K'0) : t_Option'0 = + [%#sfmap12] match get_unsized'2 self k with + | C_None'1 -> C_None'0 + | C_Some'3 x -> C_Some'0 x + end + + type t_Option'4 = + | C_None'4 + | C_Some'2 (t_K'0, borrowed t_V'0) + + function get'3 (self : Seq.seq (t_K'0, borrowed t_V'0)) (ix : int) : t_Option'4 = + [%#sseq28] if 0 <= ix /\ ix < Seq.length self then C_Some'2 (Seq.get self ix) else C_None'4 + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) = + [%#shash_map11] len'0 (view'4 self) = Seq.length visited + len'0 (view'4 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'2 (view'4 self) k = C_Some'0 v /\ get'2 (view'4 o) k = C_None'0) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'2 (view'4 o) k = C_Some'0 v + -> get'2 (view'4 self) k = C_Some'0 v /\ not (exists v2 : borrowed t_V'0 . contains'0 visited (k, v2))) + /\ (forall k : t_K'0, v : borrowed t_V'0 . get'2 (view'4 self) k = C_Some'0 v + -> contains'0 visited (k, v) \/ get'2 (view'4 o) k = C_Some'0 v) + /\ (forall k : t_K'0, v1 : borrowed t_V'0, v2 : borrowed t_V'0, i1 : int, i2 : int . get'3 visited i1 + = C_Some'2 (k, v1) + /\ get'3 visited i2 = C_Some'2 (k, v2) -> i1 = i2) + + function produces_trans'0 (a : t_IterMut'0) (ab : Seq.seq (t_K'0, borrowed t_V'0)) (b : t_IterMut'0) (bc : Seq.seq (t_K'0, borrowed t_V'0)) (c : t_IterMut'0) : () + + = + [%#shash_map24] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_IterMut'0, ab : Seq.seq (t_K'0, borrowed t_V'0), b : t_IterMut'0, bc : Seq.seq (t_K'0, borrowed t_V'0), c : t_IterMut'0 . ([%#shash_map21] produces'0 a ab b) + -> ([%#shash_map22] produces'0 b bc c) -> ([%#shash_map23] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IterMut'0) : () = + [%#shash_map20] () + + axiom produces_refl'0_spec : forall self : t_IterMut'0 . [%#shash_map19] produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self + + predicate resolve'2 (self : borrowed (t_IterMut'0)) = + [%#sresolve25] self.final = self.current + + function view'3 (self : borrowed (t_IterMut'0)) : t_FMap'2 = + [%#smodel14] view'4 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'2 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap31] len'0 (empty'0 _1) = 0) + && ([%#sfmap32] view'7 (empty'0 _1) = Const.const (C_None'1)) + + function ext_eq'0 (self : t_FMap'2) (other : t_FMap'2) : bool = + [%#sfmap35] view'7 self = view'7 other + + axiom ext_eq'0_spec : forall self : t_FMap'2, other : t_FMap'2 . ([%#sfmap33] ext_eq'0 self other -> self = other) + && ([%#sfmap34] (forall k : t_K'0 . get_unsized'2 self k = get_unsized'2 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'2) : bool = + [%#sfmap26] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_IterMut'0)) = + [%#shash_map10] resolve'2 self /\ is_empty'0 (view'3 self) + + type t_FMap'0 + + function view'0 (self : t_HashMap'1) : t_FMap'0 + + use map.Map + + function view'5 (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) + + axiom view'5_spec : forall self : t_FMap'0 . [%#sfmap36] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'5 m1 <> view'5 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = + [%#sfmap29] Map.get (view'5 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : t_Option'0 = + [%#sfmap12] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'3 x -> C_Some'0 x + end + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, borrowed t_V'0)) (res : t_HashMap'1) = + [%#shash_map18] forall k : t_K'0, v : borrowed t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int . 0 <= i + /\ i < Seq.length prod + /\ Seq.get prod i = (k, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_IterMut'0) (return' (ret:t_HashMap'1))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'1)-> {inv'2 result} + {[%#siter9] exists done' : borrowed (t_IterMut'0), prod : Seq.seq (t_K'0, borrowed t_V'0) . resolve'1 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + function any'0 [#"collections.rs" 10 0 10 20] (_1 : ()) : Seq.seq (t_K'0, borrowed t_V'0) + + use prelude.prelude.Snapshot + + function any'1 [#"collections.rs" 10 0 10 20] (_1 : ()) : borrowed (t_IterMut'0) + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + predicate resolve'3 (self : borrowed (t_HashMap'0)) = + [%#sresolve25] self.final = self.current + + predicate resolve'0 (_1 : borrowed (t_HashMap'0)) = + resolve'3 _1 + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + use prelude.prelude.Snapshot + + function view'1 (self : borrowed (t_HashMap'0)) : t_FMap'1 = + [%#smodel14] view'2 self.current + + type t_Option'2 = + | C_None'3 + | C_Some'1 t_V'0 + + function get'1 [@inline:trivial] (self : t_FMap'1) (k : t_K'0) : t_Option'2 = + [%#sfmap12] match get_unsized'1 self k with + | C_None'2 -> C_None'3 + | C_Some'4 x -> C_Some'1 x + end + + function contains'1 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : bool = + [%#sfmap15] get_unsized'0 self k <> C_None'1 + + function lookup_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : borrowed t_V'0 = + [%#sfmap37] unwrap'0 (get_unsized'0 self k) + + function lookup'0 [@inline:trivial] (self : t_FMap'0) (k : t_K'0) : borrowed t_V'0 = + [%#sfmap30] lookup_unsized'0 self k + + function index_logic'0 [@inline:trivial] (self : t_FMap'0) (key : t_K'0) : borrowed t_V'0 = + [%#sfmap16] lookup'0 self key + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_iter_mut'0 (xs:borrowed (t_HashMap'0)) (return' (ret:t_HashMap'1))= (! bb0 + [ bb0 = s0 + [ s0 = Borrow.borrow_final {xs.current} {Borrow.get_id xs} + (fun (_ret':borrowed (t_HashMap'0)) -> [ &_6 <- _ret' ] [ &xs <- { xs with current = _ret'.final } ] s1) + | s1 = iter_mut'0 {_6} (fun (_ret':t_IterMut'0) -> [ &it0 <- _ret' ] s2) + | s2 = bb1 ] + + | bb1 = s0 [ s0 = collect'0 {it0} (fun (_ret':t_HashMap'1) -> [ &r <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = [ &prod <- [%#scollections0] Snapshot.new (any'0 ()) ] s1 | s1 = bb3 ] + | bb3 = s0 [ s0 = [ &it1 <- [%#scollections1] Snapshot.new (any'1 ()) ] s1 | s1 = bb4 ] + | bb4 = s0 + [ s0 = {[@expl:assertion] [%#scollections2] completed'0 (Snapshot.inner it1)} s1 + | s1 = {[@expl:assertion] [%#scollections3] produces'0 it0 (Snapshot.inner prod) (Snapshot.inner it1).current} s2 + | s2 = {[@expl:assertion] [%#scollections4] forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> contains'0 (Snapshot.inner prod) (k, v)} + s3 + | s3 = bb5 ] + + | bb5 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb6 ] + | bb6 = s0 [ s0 = -{resolve'0 xs}- s1 | s1 = return' {_0} ] ] + ) + [ & _0 : t_HashMap'1 = any_l () + | & xs : borrowed (t_HashMap'0) = xs + | & it0 : t_IterMut'0 = any_l () + | & _6 : borrowed (t_HashMap'0) = any_l () + | & r : t_HashMap'1 = any_l () + | & prod : Snapshot.snap_ty (Seq.seq (t_K'0, borrowed t_V'0)) = any_l () + | & it1 : Snapshot.snap_ty (borrowed (t_IterMut'0)) = any_l () ] + + [ return' (result:t_HashMap'1)-> {[@expl:roundtrip_hashmap_iter_mut ensures #0] [%#scollections5] forall k : t_K'0, v : borrowed t_V'0 . get'0 (view'0 result) k + = C_Some'0 v -> get'1 (view'1 xs) k = C_Some'1 (v.current) /\ get'1 (view'2 xs.final) k = C_Some'1 (v.final)} + {[@expl:roundtrip_hashmap_iter_mut ensures #1] [%#scollections6] forall k : t_K'0, v : t_V'0 . get'1 (view'1 xs) k + = C_Some'1 v -> contains'1 (view'0 result) k /\ (index_logic'0 (view'0 result) k).current = v} + {[@expl:roundtrip_hashmap_iter_mut ensures #2] [%#scollections7] forall k : t_K'0, v : t_V'0 . get'1 (view'2 xs.final) k + = C_Some'1 v -> contains'1 (view'0 result) k /\ (index_logic'0 (view'0 result) k).final = v} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashset_into_iter [#"collections.rs" 68 0 68 78] + let%span scollections0 = "collections.rs" 67 10 67 24 + let%span siter1 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_set3 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 142 20 142 24 + let%span shash_set4 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 148 20 148 33 + let%span shash_set5 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 118 20 118 38 + let%span shash_set6 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 104 20 111 27 + let%span shash_set7 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 170 20 170 69 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 123 14 123 45 + let%span shash_set9 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 121 4 121 10 + let%span shash_set10 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 128 15 128 32 + let%span shash_set11 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 129 15 129 32 + let%span shash_set12 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 130 14 130 42 + let%span shash_set13 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 132 8 132 44 + let%span smodel14 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfset15 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq16 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq18 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + predicate inv'0 (_1 : t_HashSet'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'0 [inv'0 x] . inv'0 x = true + + predicate into_iter_pre'0 (self : t_HashSet'0) = + [%#shash_set3] true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } + + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_T'0 + + use set.Fset + + function view'0 (self : t_HashSet'0) : Fset.fset t_T'0 + + function view'1 (self : t_IntoIter'0) : Fset.fset t_T'0 + + predicate into_iter_post'0 (self : t_HashSet'0) (res : t_IntoIter'0) = + [%#shash_set4] view'0 self = view'1 res + + let rec into_iter'0 (self:t_HashSet'0) (return' (ret:t_IntoIter'0))= {[@expl:into_iter 'self' type invariant] inv'0 self} + {[@expl:into_iter requires] [%#siter1] into_iter_pre'0 self} + any [ return' (result:t_IntoIter'0)-> {[%#siter1] into_iter_post'0 self result} (! return' {result}) ] + + predicate inv'1 (_1 : t_IntoIter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IntoIter'0 [inv'1 x] . inv'1 x = true + + use prelude.prelude.Borrow + + use seq.Seq + + predicate resolve'0 (_1 : t_IntoIter'0) = + true + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_T'0) (e : t_T'0) = + [%#sfset15] Fset.mem e self + + use seq.Seq + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq16] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + use seq.Seq + + function concat_contains'0 (_1 : ()) : () = + [%#sseq18] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq17] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x + + use seq.Seq + + predicate produces'0 (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = + [%#shash_set6] Fset.cardinal (view'1 self) = Seq.length visited + Fset.cardinal (view'1 o) + /\ (forall x : t_T'0 . contains'0 (view'1 self) x -> contains'1 visited x \/ contains'0 (view'1 o) x) + /\ (forall x : t_T'0 . contains'1 visited x -> contains'0 (view'1 self) x /\ not contains'0 (view'1 o) x) + /\ (forall x : t_T'0 . contains'0 (view'1 o) x -> contains'0 (view'1 self) x /\ not contains'1 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) + + function produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + = + [%#shash_set13] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq t_T'0, b : t_IntoIter'0, bc : Seq.seq t_T'0, c : t_IntoIter'0 . ([%#shash_set10] produces'0 a ab b) + -> ([%#shash_set11] produces'0 b bc c) -> ([%#shash_set12] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IntoIter'0) : () = + [%#shash_set9] () + + axiom produces_refl'0_spec : forall self : t_IntoIter'0 . [%#shash_set8] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + function view'2 (self : borrowed (t_IntoIter'0)) : Fset.fset t_T'0 = + [%#smodel14] view'1 self.current + + use set.Fset + + predicate completed'0 (self : borrowed (t_IntoIter'0)) = + [%#shash_set5] Fset.is_empty (view'2 self) + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set7] forall x : t_T'0 . contains'0 (view'0 res) x = contains'1 prod x + + let rec collect'0 (self:t_IntoIter'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashSet'0)-> {inv'0 result} + {[%#siter2] exists done' : borrowed (t_IntoIter'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashset_into_iter'0 (xs:t_HashSet'0) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = bb1 + | bb1 = s0 [ s0 = into_iter'0 {xs} (fun (_ret':t_IntoIter'0) -> [ &_3 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {_3} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : t_HashSet'0 = any_l () | & xs : t_HashSet'0 = xs | & _3 : t_IntoIter'0 = any_l () ] + [ return' (result:t_HashSet'0)-> {[@expl:roundtrip_hashset_into_iter ensures] [%#scollections0] view'0 result + = view'0 xs} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashset_iter [#"collections.rs" 73 0 73 75] + let%span scollections0 = "collections.rs" 72 10 72 63 + let%span shash_set1 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 19 0 38 1 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span sfset3 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span shash_set5 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 69 20 69 38 + let%span shash_set6 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 55 20 62 27 + let%span shash_set7 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 170 20 170 69 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 74 14 74 45 + let%span shash_set9 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 72 4 72 10 + let%span shash_set10 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 79 15 79 32 + let%span shash_set11 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 80 15 80 32 + let%span shash_set12 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 81 14 81 42 + let%span shash_set13 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 83 8 83 44 + let%span smodel14 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sseq15 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq16 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'1 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashSet'3 = + { t_HashSet__map'1: t_HashMap'1 } + + type t_HashSet'1 = + { t_HashSet__base'1: t_HashSet'3 } + + predicate inv'0 (_1 : t_HashSet'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'1 [inv'0 x] . inv'0 x = true + + type t_T'0 + + use set.Fset + + function view'3 (self : t_HashSet'1) : Fset.fset t_T'0 + + function view'1 (self : t_HashSet'1) : Fset.fset t_T'0 = + [%#smodel4] view'3 self + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + function view'2 (self : t_Iter'0) : Fset.fset t_T'0 + + let rec iter'0 (self:t_HashSet'1) (return' (ret:t_Iter'0))= {[@expl:iter 'self' type invariant] inv'0 self} + any [ return' (result:t_Iter'0)-> {[%#shash_set1] view'1 self = view'2 result} (! return' {result}) ] + + predicate inv'1 (_1 : t_Iter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Iter'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'2 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'2 } + + predicate inv'2 (_1 : t_HashSet'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashSet'0 [inv'2 x] . inv'2 x = true + + use seq.Seq + + predicate resolve'0 (_1 : t_Iter'0) = + true + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'1 [@inline:trivial] (self : Fset.fset t_T'0) (e : t_T'0) = + [%#sfset3] Fset.mem e self + + use seq.Seq + + predicate contains'2 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq15] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + use seq.Seq + + function concat_contains'0 (_1 : ()) : () = + [%#sseq17] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq16] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'2 (Seq.(++) a b) x + = contains'2 a x + \/ contains'2 b x + + use seq.Seq + + predicate produces'0 (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) = + [%#shash_set6] Fset.cardinal (view'2 self) = Seq.length visited + Fset.cardinal (view'2 o) + /\ (forall x : t_T'0 . contains'1 (view'2 self) x -> contains'2 visited x \/ contains'1 (view'2 o) x) + /\ (forall x : t_T'0 . contains'2 visited x -> contains'1 (view'2 self) x /\ not contains'1 (view'2 o) x) + /\ (forall x : t_T'0 . contains'1 (view'2 o) x -> contains'1 (view'2 self) x /\ not contains'2 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) + + function produces_trans'0 (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + = + [%#shash_set13] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq t_T'0, b : t_Iter'0, bc : Seq.seq t_T'0, c : t_Iter'0 . ([%#shash_set10] produces'0 a ab b) + -> ([%#shash_set11] produces'0 b bc c) -> ([%#shash_set12] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Iter'0) : () = + [%#shash_set9] () + + axiom produces_refl'0_spec : forall self : t_Iter'0 . [%#shash_set8] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + function view'4 (self : borrowed (t_Iter'0)) : Fset.fset t_T'0 = + [%#smodel14] view'2 self.current + + use set.Fset + + predicate completed'0 (self : borrowed (t_Iter'0)) = + [%#shash_set5] Fset.is_empty (view'4 self) + + use set.Fset + + function view'0 (self : t_HashSet'0) : Fset.fset t_T'0 + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_T'0) (e : t_T'0) = + [%#sfset3] Fset.mem e self + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set7] forall x : t_T'0 . contains'0 (view'0 res) x = contains'2 prod x + + let rec collect'0 (self:t_Iter'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashSet'0)-> {inv'2 result} + {[%#siter2] exists done' : borrowed (t_Iter'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashset_iter'0 (xs:t_HashSet'1) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = s0 [ s0 = iter'0 {xs} (fun (_ret':t_Iter'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = collect'0 {_3} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_HashSet'0 = any_l () | & xs : t_HashSet'1 = xs | & _3 : t_Iter'0 = any_l () ] + [ return' (result:t_HashSet'0)-> {[@expl:roundtrip_hashset_iter ensures] [%#scollections0] forall k : t_T'0 . contains'0 (view'0 result) k + = contains'1 (view'1 xs) k} + (! return' {result}) ] + +end +module M_collections__hashset_intersection [#"collections.rs" 78 0 78 96] + let%span scollections0 = "collections.rs" 77 10 77 42 + let%span shash_set1 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 32 30 32 67 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter3 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span smodel4 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span scopied5 = "../../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span scopied6 = "../../../../creusot-contracts/src/std/iter/copied.rs" 40 12 40 105 + let%span scopied7 = "../../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 170 20 170 69 + let%span scopied9 = "../../../../creusot-contracts/src/std/iter/copied.rs" 21 8 21 29 + let%span scopied10 = "../../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 + let%span scopied11 = "../../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 + let%span scopied12 = "../../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 + let%span scopied13 = "../../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 + let%span shash_set14 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 203 20 203 56 + let%span shash_set15 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 189 20 196 27 + let%span sfset16 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_set18 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 208 14 208 45 + let%span shash_set19 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 206 4 206 10 + let%span shash_set20 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 213 15 213 32 + let%span shash_set21 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 214 15 214 32 + let%span shash_set22 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 215 14 215 42 + let%span shash_set23 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 217 8 217 44 + let%span sresolve24 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel25 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sseq26 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq27 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + predicate inv'0 (_1 : t_HashSet'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'0 [inv'0 x] . inv'0 x = true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + predicate inv'1 (_1 : t_Intersection'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Intersection'0 [inv'1 x] . inv'1 x = true + + type t_T'0 + + use set.Fset + + function view'2 (self : t_Intersection'0) : Fset.fset t_T'0 + + function view'0 (self : t_HashSet'0) : Fset.fset t_T'0 + + function view'1 (self : t_HashSet'0) : Fset.fset t_T'0 = + [%#smodel4] view'0 self + + use set.Fset + + let rec intersection'0 (self:t_HashSet'0) (other:t_HashSet'0) (return' (ret:t_Intersection'0))= {[@expl:intersection 'self' type invariant] inv'0 self} + {[@expl:intersection 'other' type invariant] inv'0 other} + any + [ return' (result:t_Intersection'0)-> {inv'1 result} + {[%#shash_set1] view'2 result = Fset.inter (view'1 self) (view'1 other)} + (! return' {result}) ] + + + type t_Copied'0 = + { t_Copied__it'0: t_Intersection'0 } + + predicate inv'2 (_1 : t_Copied'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_Copied'0 [inv'2 x] . inv'2 x = true + + function iter'0 (self : t_Copied'0) : t_Intersection'0 + + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'2 self -> inv'1 (iter'0 self) + + let rec copied'0 (self:t_Intersection'0) (return' (ret:t_Copied'0))= {[@expl:copied 'self' type invariant] inv'1 self} + any [ return' (result:t_Copied'0)-> {inv'2 result} {[%#siter2] iter'0 result = self} (! return' {result}) ] + + predicate inv'3 (_1 : t_HashSet'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_HashSet'0 [inv'3 x] . inv'3 x = true + + use seq.Seq + + predicate resolve'2 (_1 : t_Intersection'0) = + true + + predicate resolve'1 (self : t_Copied'0) = + [%#scopied9] resolve'2 (iter'0 self) + + predicate resolve'0 (_1 : t_Copied'0) = + resolve'1 _1 + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + predicate contains'2 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + function concat_contains'0 (_1 : ()) : () = + [%#sseq27] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq26] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'2 (Seq.(++) a b) x + = contains'2 a x + \/ contains'2 b x + + use seq.Seq + + use set.Fset + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_T'0) (e : t_T'0) = + [%#sfset16] Fset.mem e self + + predicate produces'1 (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = + [%#shash_set15] Fset.cardinal (view'2 self) = Seq.length visited + Fset.cardinal (view'2 o) + /\ (forall x : t_T'0 . contains'0 (view'2 self) x -> contains'2 visited x \/ contains'0 (view'2 o) x) + /\ (forall x : t_T'0 . contains'2 visited x -> contains'0 (view'2 self) x /\ not contains'0 (view'2 o) x) + /\ (forall x : t_T'0 . contains'0 (view'2 o) x -> contains'0 (view'2 self) x /\ not contains'2 visited x) + /\ (forall x : t_T'0, i : int, j : int . 0 <= i + /\ i < Seq.length visited /\ 0 <= j /\ j < Seq.length visited /\ Seq.get visited i = x /\ Seq.get visited j = x + -> i = j) + + function produces_trans'1 (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () + + = + [%#shash_set23] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom produces_trans'1_spec : forall a : t_Intersection'0, ab : Seq.seq t_T'0, b : t_Intersection'0, bc : Seq.seq t_T'0, c : t_Intersection'0 . ([%#shash_set20] produces'1 a ab b) + -> ([%#shash_set21] produces'1 b bc c) -> ([%#shash_set22] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 (self : t_Intersection'0) : () = + [%#shash_set19] () + + axiom produces_refl'1_spec : forall self : t_Intersection'0 . [%#shash_set18] produces'1 self (Seq.empty : Seq.seq t_T'0) self + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) = + [%#scopied7] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + + function produces_trans'0 (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () + + + axiom produces_trans'0_spec : forall a : t_Copied'0, ab : Seq.seq t_T'0, b : t_Copied'0, bc : Seq.seq t_T'0, c : t_Copied'0 . ([%#scopied11] produces'0 a ab b) + -> ([%#scopied12] produces'0 b bc c) -> ([%#scopied13] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Copied'0) : () + + axiom produces_refl'0_spec : forall self : t_Copied'0 . [%#scopied10] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + predicate resolve'3 (self : borrowed (t_Intersection'0)) = + [%#sresolve24] self.final = self.current + + function view'3 (self : borrowed (t_Intersection'0)) : Fset.fset t_T'0 = + [%#smodel25] view'2 self.current + + use set.Fset + + predicate completed'1 (self : borrowed (t_Intersection'0)) = + [%#shash_set14] resolve'3 self /\ Fset.is_empty (view'3 self) + + predicate completed'0 (self : borrowed (t_Copied'0)) = + [%#scopied6] exists inner : borrowed (t_Intersection'0) . inner.current = iter'0 self.current + /\ inner.final = iter'0 self.final /\ completed'1 inner + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set8] forall x : t_T'0 . contains'0 (view'0 res) x = contains'1 prod x + + let rec collect'0 (self:t_Copied'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'2 self} + any + [ return' (result:t_HashSet'0)-> {inv'3 result} + {[%#siter3] exists done' : borrowed (t_Copied'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec hashset_intersection'0 (xs:t_HashSet'0) (ys:t_HashSet'0) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = s0 [ s0 = intersection'0 {xs} {ys} (fun (_ret':t_Intersection'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = copied'0 {_5} (fun (_ret':t_Copied'0) -> [ &_4 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {_4} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = return' {_0} ] + ) + [ & _0 : t_HashSet'0 = any_l () + | & xs : t_HashSet'0 = xs + | & ys : t_HashSet'0 = ys + | & _4 : t_Copied'0 = any_l () + | & _5 : t_Intersection'0 = any_l () ] + + [ return' (result:t_HashSet'0)-> {[@expl:hashset_intersection ensures] [%#scollections0] view'0 result + = Fset.inter (view'1 xs) (view'1 ys)} + (! return' {result}) ] + +end diff --git a/creusot/tests/should_succeed/cc/collections.rs b/creusot/tests/should_succeed/cc/collections.rs new file mode 100644 index 0000000000..720f5404c4 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections.rs @@ -0,0 +1,80 @@ +extern crate creusot_contracts; +use creusot_contracts::*; +use std::{ + collections::{hash_map, HashMap, HashSet}, + hash::Hash, +}; + +#[trusted] +#[logic] +pub fn any() -> T { + dead +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashmap_into_iter(xs: HashMap) -> HashMap { + let it0 = xs.into_iter(); + let r: HashMap = it0.collect(); + /* + let x = snapshot! { such_that(|x: (Seq<(K,V)>, &mut hash_map::IntoIter)| { + let (prod, it1) = x; + it1.completed() + && it0.produces(prod, *it1) + })}; */ + + // epsilon + let prod = snapshot! { any::>() }; + let it1 = snapshot! { any::<&mut hash_map::IntoIter>() }; + proof_assert! { it1.inner().completed() }; + proof_assert! { it0.produces(prod.inner(), *it1.inner()) }; + + proof_assert! { forall r@.get(k) == Some(v) ==> prod.inner().contains((k, v))}; + r +} + +#[ensures(forall (result@.get(k) == Some(v)) == (xs@.get(*k) == Some(*v)))] +pub fn roundtrip_hashmap_iter(xs: &HashMap) -> HashMap<&K, &V> { + let it0 = xs.iter(); + let r: HashMap<&K, &V> = it0.collect(); + + // epsilon + let prod = snapshot! { any::>() }; + let it1 = snapshot! { any::<&mut hash_map::Iter>() }; + proof_assert! { it1.inner().completed() }; + proof_assert! { it0.produces(prod.inner(), *it1.inner()) }; + + proof_assert! { forall r@.get(k) == Some(v) ==> prod.inner().contains((k, v)) }; + r +} + +#[ensures(forall result@.get(k) == Some(v) ==> xs@.get(*k) == Some(*v) && (^xs)@.get(*k) == Some(^v))] +#[ensures(forall xs@.get(*k) == Some(v) ==> result@.contains(k) && *result@[k] == v)] +#[ensures(forall (^xs)@.get(*k) == Some(v) ==> result@.contains(k) && ^result@[k] == v)] +pub fn roundtrip_hashmap_iter_mut(xs: &mut HashMap) -> HashMap<&K, &mut V> { + let it0 = xs.iter_mut(); + let r: HashMap<&K, &mut V> = it0.collect(); + + // epsilon + let prod = snapshot! { any::>() }; + let it1 = snapshot! { any::<&mut hash_map::IterMut>() }; + proof_assert! { it1.inner().completed() }; + proof_assert! { it0.produces(prod.inner(), *it1.inner()) }; + + proof_assert! { forall r@.get(k) == Some(v) ==> prod.inner().contains((k, v)) }; + r +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashset_into_iter(xs: HashSet) -> HashSet { + xs.into_iter().collect() +} + +#[ensures(forall result@.contains(k) == xs@.contains(*k))] +pub fn roundtrip_hashset_iter(xs: &HashSet) -> HashSet<&T> { + xs.iter().collect() +} + +#[ensures(result@ == xs@.intersection(ys@))] +pub fn hashset_intersection(xs: &HashSet, ys: &HashSet) -> HashSet { + xs.intersection(ys).copied().collect() +} diff --git a/creusot/tests/should_succeed/cc/collections/why3session.xml b/creusot/tests/should_succeed/cc/collections/why3session.xml new file mode 100644 index 0000000000..91fbaf7c23 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections/why3session.xml @@ -0,0 +1,140 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/creusot/tests/should_succeed/cc/collections/why3shapes.gz b/creusot/tests/should_succeed/cc/collections/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..66b520cf81130893bf0421affe9adb9d45c1d0ba GIT binary patch literal 2918 zcmV-s3z_sEiwFP!00000|GijQZzDGne)q2sun*o%UPuY%EmD1VTb2_bhGDaLR2A#^s*3;oZgu=97ya zJ|6LawBLVUtJ>6*Y=-lCJ|%IV9-pSv#>c1AHyq$X%k?~$mznkZ-SK39y#Hmti?{U7 zHi8beWQlP)em&jC&v^!F%I)um=eWV?KjP{Bd3W6YFNS7KOy@Yxt&#HiC#hkdkxJh?o`w9KyxBX+5@g>VvC>&>^b!^H%hR5EqyQaFPX7h>&xZ25p+j?K_ zg={|26%PC7T{s=KPxl|~@#CX?y6>GM?vBsJH`?W++m*fiM2=uh@^U!hKawokX@_VH8A z2wt#3IkTAs9I6!O^QjH4Y;d6*8-CMFhU!9Q6x78WXU0^`7*n~vDG+sEfVo9oG|IXi z3{V$Fs4HvH4rD=HQOgPHs*JkmkQqTo7;6^hR0iV-?y?qlS?{Z|2UQs3E-c_K%y2j3 z=pydYvL>fB04JlDfD>0c zPbCviB@3QPKD+~N7UQ>rn@JG2$VdlQ?LZMHKVOBM3%E3aq#=)jC9-2uGd1N>;#&>` zRqOWvn6B9jZwtu*)G{*$Fb01sfB{}xOa#Em&Mjc#7O>zJKpFtUD~maR@eaVw?$9Z} z@nxJY_|;+;y2ko$5fEtuh(n-Z?Ep$Ru^QHcb=3lq8UxV}tpT`w-hDY_+6XeLY*8&{ zu;E5%H|D}nmyNnB>ehWtYTBCA^oU8xx*H8JlhOh}V^Bj>EF~Ty%LoDsp3ElMxxSlF zQ7ts89vW4Td;0B?RL`Ih(;8WXMpoA7WR7LqouM(G+$_@?K_hy8JK|?sLUx|6Y<2s? zVgCiGV|r_20Z}6RVCKCIrAW=b{rG&L(3}*k*HG=yb`G!dBD~5TUd04nMIT4Bg;((| zcvXlaufwYvKum5~`k)=&I5RHH^DWOB9D^k5mj`fso_o0)@1>JntvX-Bn^*rJ zuX09=oUkr1G~+$m*8|w=Ix@YEfJ{@+^foVfy~p4XzurIW|JeGalvFg+S(45-Waqz1 zEA(2f8OecN>;*+5=Y_vbAM7&EvleQAMTY0qB^|IX1oMVo z6S=#%tp7rj*C1Z!$QQL63^()(Wd zw|Hv1?e>#4t#jA2i>01D7kF>>?89$X$nvEg9=aYL-js_CZO(Er{Oja@lFHJ8rZIVQxF56epQUA0wDavLwrox(@sdS|nn(=UqK0g^>e(3&ooNV5oKB87% zd-!QX&6Y#`J8U~ba(@4`jp6kNq_fq!=omg9wb;#;`kR(DTZrWHh|_sGop?H3XmIF< z*|RdcaH#?I_qtkmUp6Be*fe&drF4*=Jj^)dt81S;==8}0n%sN|cDq!ao3>47jMBl0 z?&YLpl^=^4yA<6O4x$TnRw}XAuiGBzpHR94!T6h!(l>Wt3b_$NDitNuNeL>VGaL-3 znoE_42r{jhteB`&B`ZSW)8)LmNJ8om zWi-T*qy^qrN-H2T@Bz^LS$JJBS~2n#A&$BYPN)Q~(&H2GIWCjj+^G z9*oi85Cm3IR#H@wR}%gTA5NY361?L{QigtlRuM@`6@9?yh%1HHFqPDmRDY3`0W`A< zISFx(p(2Hh4Atfs!<>ZRm*Yhg$W>>=MX2VeWsERqGy)2-oOmg~39XX@ThirVKe`T9 zqZBbL5o#5cAxI~Z;gMkuvZTwDgEJmDH<(wf(#b|l513{!%Oqo^%Yfe}$-yBRoX=^T zI0iy#3l<#!K`#nGK&Eb`N={MGq>{l=N2GPiNRQ<=f+X5CSxo>FK_1(fwV-K(H%fM3 zg9QdAibRmQMOfgNjyWLMM$3W{qRAYSQ%E~ePc-IGhd#uzY|$XfAPP7Ud2>0XW+(Ap zKoY`-QJ5PPLF_=*Jh~XLTtQ=L+-)jVTwvimrhVX;WmT{Uxzc#$b(H?L_Yxthjdckt zIsCzFfoaZS+Se?YB((yOje*KE=f7`~6Iul)qvn{!6kgAgfTdX?XkLmn8($e+86<>y Q7FQGfKP8MuYK0~M0M+Y&wEzGB literal 0 HcmV?d00001 diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend.coma b/creusot/tests/should_succeed/iterators/08_collect_extend.coma index aedea4bc3a..527913b360 100644 --- a/creusot/tests/should_succeed/iterators/08_collect_extend.coma +++ b/creusot/tests/should_succeed/iterators/08_collect_extend.coma @@ -24,7 +24,7 @@ module M_08_collect_extend__extend [#"08_collect_extend.rs" 26 0 26 66] let%span siter22 = "../../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 let%span sresolve23 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant24 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 630 20 630 95 let%span svec26 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sboxed27 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 @@ -345,7 +345,7 @@ module M_08_collect_extend__collect [#"08_collect_extend.rs" 44 0 44 52] let%span sresolve21 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span smodel22 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 let%span svec23 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 630 20 630 95 let%span sinvariant25 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sboxed26 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18