diff --git a/creusot-contracts/src/logic/fset.rs b/creusot-contracts/src/logic/fset.rs index 9ebd35b765..469bbb09c7 100644 --- a/creusot-contracts/src/logic/fset.rs +++ b/creusot-contracts/src/logic/fset.rs @@ -114,6 +114,17 @@ impl FSet { dead } + /// Returns a new set, which is the union of `self` and `other`. + /// + /// An element is in the result if it is in `self` _or_ if it is in `other`. + #[trusted] + #[logic] + #[creusot::builtins = "set.Fset.inter"] + pub fn intersection(self, other: Self) -> Self { + let _ = other; + dead + } + /// Returns `true` if every element of `self` is in `other`. #[trusted] #[predicate] diff --git a/creusot-contracts/src/logic/seq.rs b/creusot-contracts/src/logic/seq.rs index d28a4a84b2..8146bbd1b4 100644 --- a/creusot-contracts/src/logic/seq.rs +++ b/creusot-contracts/src/logic/seq.rs @@ -376,6 +376,16 @@ impl Seq { { self.sorted_range(0, self.len()) } + + #[open] + #[logic] + #[ensures(forall, b: Seq, x: T> + a.concat(b).contains(x) == a.contains(x) || b.contains(x))] + pub fn concat_contains() + where + T: Sized, + { + } } impl Seq<&T> { diff --git a/creusot-contracts/src/std.rs b/creusot-contracts/src/std.rs index ec83701067..08c5948870 100644 --- a/creusot-contracts/src/std.rs +++ b/creusot-contracts/src/std.rs @@ -3,6 +3,10 @@ pub use ::std::*; pub mod array; pub mod boxed; pub mod clone; +pub mod collections { + pub mod hash_map; + pub mod hash_set; +} pub mod cmp; pub mod default; pub mod deque; diff --git a/creusot-contracts/src/std/collections/hash_map.rs b/creusot-contracts/src/std/collections/hash_map.rs new file mode 100644 index 0000000000..ca2bcb09d3 --- /dev/null +++ b/creusot-contracts/src/std/collections/hash_map.rs @@ -0,0 +1,249 @@ +use crate::{ + logic::FMap, + std::iter::{FromIterator, IntoIterator, Iterator}, + *, +}; +use ::std::{ + collections::hash_map::*, + default::Default, + hash::{BuildHasher, Hash}, +}; + +impl View for HashMap { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +extern_spec! { + mod std { + mod collections { + mod hash_map { + impl HashMap { + #[ensures(self@ == result@)] + fn iter(&self) -> Iter<'_, K, V>; + + #[ensures(self.into_iter_post(result))] + fn iter_mut(&mut self) -> IterMut<'_, K, V>; + } + } + } + } +} + +impl View for IntoIter { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl Iterator for IntoIter { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((k, v)) + ==> self@.get(k.deep_model()) == Some(v) && o@.get(k.deep_model()) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !exists k2.deep_model() == k && visited.contains((k2, v2))) + && (forall self@.get(k) == Some(v) + ==> (exists k1.deep_model() == k && visited.contains((k1, v))) || o@.get(k) == Some(v)) + && (forall + 0 <= i1 && i1 < visited.len() && 0 <= i2 && i2 < visited.len() + && visited[i1].0.deep_model() == visited[i2].0.deep_model() + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl<'a, K: DeepModel, V> View for Iter<'a, K, V> { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, K: DeepModel, V> Iterator for Iter<'a, K, V> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // `self@` equals the union of `visited` (viewed as a finite map) and `o@` + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((k, v)) + ==> self@.get(k.deep_model()) == Some(*v) && o@.get(k.deep_model()) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !exists k2.deep_model() == k && visited.contains((k2, v2))) + && (forall self@.get(k) == Some(v) + ==> (exists k2.deep_model() == k && visited.contains((k2, &v))) || o@.get(k) == Some(v)) + && (forall + 0 <= i1 && i1 < visited.len() && 0 <= i2 && i2 < visited.len() + && visited[i1].0.deep_model() == visited[i2].0.deep_model() + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl<'a, K: DeepModel, V> View for IterMut<'a, K, V> { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, K: DeepModel, V> Iterator for IterMut<'a, K, V> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((&k, v)) + ==> self@.get(k.deep_model()) == Some(v) && o@.get(k.deep_model()) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !exists k2.deep_model() == k && visited.contains((k2, v2))) + && (forall self@.get(k) == Some(v) + ==> (exists k1.deep_model() == k && visited.contains((k1, v))) || o@.get(k) == Some(v)) + && (forall + 0 <= i1 && i1 < visited.len() && 0 <= i2 && i2 < visited.len() + && visited[i1].0.deep_model() == visited[i2].0.deep_model() + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl IntoIterator for HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &mut HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate(prophetic)] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { forall (*self)@.contains(k) == (^self)@.contains(k) + && (forall (*self)@.contains(k) == res@.contains(k)) + && forall (*self)@.contains(k) ==> (*self)@[k] == *res@[k] && (^self)@[k] == ^res@[k] } + } +} + +impl FromIterator<(K, V)> + for HashMap +{ + #[predicate] + #[open] + fn from_iter_post(prod: Seq<(K, V)>, res: Self) -> bool { + pearlite! { forall (res@.get(k) == Some(v)) + == (exists 0 <= i && i < prod.len() && k1.deep_model() == k && prod[i] == (k1, v) + && forall i < j && j < prod.len() ==> prod[j].0.deep_model() != k) } + } +} diff --git a/creusot-contracts/src/std/collections/hash_set.rs b/creusot-contracts/src/std/collections/hash_set.rs new file mode 100644 index 0000000000..41bd35d589 --- /dev/null +++ b/creusot-contracts/src/std/collections/hash_set.rs @@ -0,0 +1,226 @@ +use crate::{ + logic::FSet, + std::iter::{FromIterator, IntoIterator, Iterator}, + *, +}; +use ::std::{collections::hash_set::*, hash::*}; + +impl View for HashSet { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +extern_spec! { + mod std { + mod collections { + mod hash_set { + impl HashSet { + #[ensures(self@ == result@)] + fn iter(&self) -> Iter<'_, T>; + } + impl HashSet + where + T: Eq + Hash + DeepModel, + S: BuildHasher, + { + #[ensures(result@ == self@.intersection(other@))] + fn intersection<'a>(&'a self, other: &'a HashSet) -> Intersection<'a, T, S>; + } + } + } + } +} + +impl View for IntoIter { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +#[open] +#[predicate] +pub fn set_produces>>( + start: I, + visited: Seq, + end: I, +) -> bool { + pearlite! { start@.len() == visited.len() + end@.len() + && (forall start@.contains(x) ==> (exists x1.deep_model() == x && visited.contains(x1)) || end@.contains(x)) + && (forall visited.contains(x) ==> start@.contains(x.deep_model()) && !end@.contains(x.deep_model())) + && (forall end@.contains(x) ==> start@.contains(x) && !exists x1.deep_model() == x && visited.contains(x1)) + && (forall + 0 <= i && i < visited.len() && 0 <= j && j < visited.len() + && visited[i].deep_model() == visited[j].deep_model() + ==> i == j) + } +} + +#[open] +#[logic] +#[requires(set_produces(a, ab, b))] +#[requires(set_produces(b, bc, c))] +#[ensures(set_produces(a, ab.concat(bc), c))] +pub fn set_produces_trans>>( + a: I, + ab: Seq, + b: I, + bc: Seq, + c: I, +) { + Seq::::concat_contains(); + proof_assert! { forall ab.len() <= i && ab.concat(bc).get(i) == Some(x) ==> bc.contains(x) }; + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] }; +} + +impl Iterator for IntoIter { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + set_produces(self, visited, o) + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + set_produces_trans(a, ab, b, bc, c); + } +} + +impl<'a, T: DeepModel> View for Iter<'a, T> { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, T: DeepModel> Iterator for Iter<'a, T> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + set_produces(self, visited, o) + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + set_produces_trans(a, ab, b, bc, c); + } +} + +impl IntoIterator for HashSet { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &HashSet { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl FromIterator for HashSet { + #[predicate] + #[open] + fn from_iter_post(prod: Seq, res: Self) -> bool { + pearlite! { forall res@.contains(x) == exists x1.deep_model() == x && prod.contains(x1) } + } +} + +impl<'a, T: DeepModel, S> View for Intersection<'a, T, S> { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, T: Eq + Hash + DeepModel, S: BuildHasher> Iterator for Intersection<'a, T, S> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + set_produces(self, visited, o) + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + set_produces_trans(a, ab, b, bc, c); + } +} diff --git a/creusot-contracts/src/std/default.rs b/creusot-contracts/src/std/default.rs index b1770f27ab..a96b6e45d1 100644 --- a/creusot-contracts/src/std/default.rs +++ b/creusot-contracts/src/std/default.rs @@ -24,3 +24,13 @@ impl Default for bool { pearlite! { self == false } } } + +// `RandomState::default()` is defined as `RandomState::new()` +// which produces random values. +impl Default for std::hash::RandomState { + #[predicate] + #[open] + fn is_default(self) -> bool { + pearlite! { true } + } +} diff --git a/creusot/tests/creusot-contracts/creusot-contracts.coma b/creusot/tests/creusot-contracts/creusot-contracts.coma index cfbca1ad4e..7b8d0eaf43 100644 --- a/creusot/tests/creusot-contracts/creusot-contracts.coma +++ b/creusot/tests/creusot-contracts/creusot-contracts.coma @@ -92,4295 +92,4659 @@ module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_ goal vc_produces_trans'0 : ([%#sarray1] produces'0 b bc c) -> ([%#sarray0] produces'0 a ab b) -> ([%#sarray2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialEq_Rhs_ne_body [#"../../../creusot-contracts/src/std/cmp.rs" 10 31 18 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 18 29 18 32 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 17 26 17 75 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75 - let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sinvariant5 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 79 4 79 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 78 14 78 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 76 4 76 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - use prelude.prelude.Borrow + use seq.Seq - type t_Self_'0 + type t_K'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_V'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant5] inv'4 self + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use prelude.prelude.UInt16 - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant5] inv'0 self + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use prelude.prelude.Opaque - axiom inv_axiom'2 [@rewrite] : forall x : t_Self_'0 [inv'2 x] . inv'2 x = invariant'2 x + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - type t_Rhs'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant5] inv'5 self + use prelude.prelude.UIntSize - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant5] inv'1 self + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom inv_axiom'3 [@rewrite] : forall x : t_Rhs'0 [inv'3 x] . inv'3 x = invariant'3 x + type t_FMap'0 + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_IntoIter'0) : t_FMap'0 + + + use prelude.prelude.Int + + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x type t_DeepModelTy'0 - function deep_model'4 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel4] deep_model'4 self + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel4] deep_model'0 self + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function deep_model'5 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + use map.Map - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel4] deep_model'5 self + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel4] deep_model'1 self + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - let rec eq'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:eq 'self' type invariant] inv'2 self} - {[@expl:eq 'other' type invariant] inv'3 other} - any [ return' (result:bool)-> {[%#scmp3] result = (deep_model'2 self = deep_model'3 other)} (! return' {result}) ] + use map.Map - use prelude.prelude.Intrinsic + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap6] Map.get (view'1 self) k - meta "compute_max_steps" 1000000 + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - let rec extern_spec_std_cmp_PartialEq_Rhs_ne_body'0 (self_:t_Self_'0) (rhs:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body 'self_' type invariant] [%#scmp0] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body 'rhs' type invariant] [%#scmp1] inv'1 rhs} - (! bb0 - [ bb0 = s0 [ s0 = eq'0 {self_} {rhs} (fun (_ret':bool) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- not _4 ] s1 | s1 = return' {_0} ] ] - ) [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & rhs : t_Rhs'0 = rhs | & _4 : bool = any_l () ] - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body ensures] [%#scmp2] result - = (deep_model'0 self_ <> deep_model'1 rhs)} - (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + constant self : t_IntoIter'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 79 4 79 26] (self : t_IntoIter'0) : () + + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_lt_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 36 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 39 29 39 34 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 38 48 38 52 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 36 29 36 34 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 86 4 86 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 83 15 83 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 84 15 84 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 85 14 85 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 87 24 87 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 87 8 87 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - use prelude.prelude.Borrow + use prelude.prelude.UInt16 - type t_Self_'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'2 self + use prelude.prelude.Opaque - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - type t_Rhs'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + use prelude.prelude.UIntSize - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant20] inv'3 self + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - type t_DeepModelTy'0 + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_K'0 - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + type t_V'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_FMap'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_IntoIter'0) : t_FMap'0 - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + use prelude.prelude.Int - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) + type t_DeepModelTy'0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap10] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use map.Map - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap9] Map.get (view'1 self) k - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) - - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant a : t_IntoIter'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + constant ab : Seq.seq (t_K'0, t_V'0) - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + constant b : t_IntoIter'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 (t_Ordering'0) + constant bc : Seq.seq (t_K'0, t_V'0) - let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} - {[@expl:partial_cmp 'other' type invariant] inv'1 other} - any - [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} - (! return' {result}) ] - + constant c : t_IntoIter'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any - [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} - (! {false} - any) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 86 4 86 90] (a : t_IntoIter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_IntoIter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_IntoIter'0) : () - use prelude.prelude.Intrinsic + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 131 4 131 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 130 14 130 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 128 4 128 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'2 self + use seq.Seq - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'3 self + use prelude.prelude.Borrow - meta "compute_max_steps" 1000000 + type t_K'0 - let rec extern_spec_std_cmp_PartialOrd_Rhs_lt_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body 'self_' type invariant] [%#scmp2] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body 'other' type invariant] [%#scmp3] inv'1 other} - (! bb0 - [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] - | bb8 = bb2 - | bb3 = v_Some'0 {_4} - (fun (r0'0:t_Ordering'0) -> - any - [ br0 -> {r0'0 = C_Less'0 } (! bb4) - | br1 -> {r0'0 = C_Equal'0 } (! bb2) - | br2 -> {r0'0 = C_Greater'0 } (! bb2) ] - ) - | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] - | bb4 = bb5 - | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] - | bb6 = return' {_0} ] - ) - [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body ensures] [%#scmp4] result - = lt_log'0 (deep_model'0 self_) (deep_model'1 other)} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_le_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 44 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 47 29 47 34 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 46 66 46 70 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 44 29 44 34 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 43 26 43 77 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - - use prelude.prelude.Borrow - - type t_Self_'0 + type t_V'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'2 self + use prelude.prelude.UInt16 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - type t_Rhs'0 + use prelude.prelude.Opaque - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant20] inv'3 self + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + use prelude.prelude.UIntSize - type t_DeepModelTy'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_FMap'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 97 4 97 33] (self : t_Iter'0) : t_FMap'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use prelude.prelude.Int - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + type t_DeepModelTy'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'1 self - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use map.Map - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use map.Map - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap7] Map.get (view'1 self) k - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) - - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap6] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 105 4 105 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + constant self : t_Iter'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 131 4 131 26] (self : t_Iter'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 138 4 138 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 135 15 135 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 136 15 136 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 137 14 137 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 139 24 139 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 139 8 139 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel8 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + use prelude.prelude.UInt16 - type t_Option'0 = - | C_None'0 - | C_Some'0 (t_Ordering'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} - {[@expl:partial_cmp 'other' type invariant] inv'1 other} - any - [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} - (! return' {result}) ] - + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any - [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} - (! {false} - any) ] - + use prelude.prelude.Opaque - use prelude.prelude.Intrinsic + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'2 self + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'3 self + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - meta "compute_max_steps" 1000000 + use prelude.prelude.UIntSize - let rec extern_spec_std_cmp_PartialOrd_Rhs_le_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body 'self_' type invariant] [%#scmp2] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body 'other' type invariant] [%#scmp3] inv'1 other} - (! bb0 - [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] - | bb8 = bb2 - | bb3 = v_Some'0 {_4} - (fun (r0'0:t_Ordering'0) -> - any - [ br0 -> {r0'0 = C_Less'0 } (! bb4) - | br1 -> {r0'0 = C_Equal'0 } (! bb4) - | br2 -> {r0'0 = C_Greater'0 } (! bb2) ] - ) - | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] - | bb4 = bb5 - | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] - | bb6 = return' {_0} ] - ) - [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body ensures] [%#scmp4] result - = le_log'0 (deep_model'0 self_) (deep_model'1 other)} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_gt_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 52 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 55 29 55 34 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 54 51 54 55 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 52 29 52 34 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 51 26 51 76 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } use prelude.prelude.Borrow - type t_Self_'0 + type t_K'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_V'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'2 self + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_FMap'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 97 4 97 33] (self : t_Iter'0) : t_FMap'0 + - type t_Rhs'0 + use prelude.prelude.Int - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant20] inv'3 self + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x type t_DeepModelTy'0 - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel8] deep_model'1 self - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap10] Map.get (view'1 self) k - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap9] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 105 4 105 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - + constant a : t_Iter'0 - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) + constant ab : Seq.seq (t_K'0, t_V'0) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + constant b : t_Iter'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + constant bc : Seq.seq (t_K'0, t_V'0) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant c : t_Iter'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 138 4 138 90] (a : t_Iter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_Iter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_Iter'0) : () - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 183 4 183 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 182 14 182 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use prelude.prelude.Borrow - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + type t_K'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + type t_V'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + use prelude.prelude.UInt16 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + use prelude.prelude.UIntSize + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } + + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } + + type t_FMap'0 + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 149 4 149 33] (self : t_IterMut'0) : t_FMap'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use prelude.prelude.Int + + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + type t_DeepModelTy'0 + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 type t_Option'0 = | C_None'0 - | C_Some'0 (t_Ordering'0) + | C_Some'0 (borrowed t_V'0) - let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} - {[@expl:partial_cmp 'other' type invariant] inv'1 other} - any - [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} - (! return' {result}) ] - + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_V'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any - [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} - (! {false} - any) ] + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - use prelude.prelude.Intrinsic + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'2 self + use map.Map - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'3 self + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap7] Map.get (view'1 self) k - meta "compute_max_steps" 1000000 + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - let rec extern_spec_std_cmp_PartialOrd_Rhs_gt_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body 'self_' type invariant] [%#scmp2] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body 'other' type invariant] [%#scmp3] inv'1 other} - (! bb0 - [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] - | bb8 = bb2 - | bb3 = v_Some'0 {_4} - (fun (r0'0:t_Ordering'0) -> - any - [ br0 -> {r0'0 = C_Less'0 } (! bb2) - | br1 -> {r0'0 = C_Equal'0 } (! bb2) - | br2 -> {r0'0 = C_Greater'0 } (! bb4) ] - ) - | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] - | bb4 = bb5 - | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] - | bb6 = return' {_0} ] - ) - [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'0 self + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 157 4 157 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body ensures] [%#scmp4] result - = gt_log'0 (deep_model'0 self_) (deep_model'1 other)} - (! return' {result}) ] + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'1 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'1 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'1 (let (a, _) = Seq.get visited i1 in a) = deep_model'1 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + constant self : t_IterMut'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 183 4 183 26] (self : t_IterMut'0) : () + + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_ge_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 60 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 63 29 63 34 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 62 69 62 73 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 60 29 60 34 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 59 26 59 77 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 190 4 190 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 187 15 187 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 188 15 188 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 189 14 189 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 191 24 191 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 191 8 191 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel9 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - use prelude.prelude.Borrow + use prelude.prelude.UInt16 - type t_Self_'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'2 self + use prelude.prelude.Opaque - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - type t_Rhs'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + use prelude.prelude.UIntSize - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant20] inv'3 self + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - type t_DeepModelTy'0 + use prelude.prelude.Borrow - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_K'0 - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + type t_V'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_FMap'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 149 4 149 33] (self : t_IterMut'0) : t_FMap'0 - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + use prelude.prelude.Int - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + type t_DeepModelTy'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_V'0) - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + use map.Map - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + use map.Map - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap10] Map.get (view'1 self) k - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel9] deep_model'0 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 157 4 157 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'1 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'1 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'1 (let (a, _) = Seq.get visited i1 in a) = deep_model'1 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + constant a : t_IterMut'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 (t_Ordering'0) + constant ab : Seq.seq (t_K'0, borrowed t_V'0) - let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} - {[@expl:partial_cmp 'other' type invariant] inv'1 other} - any - [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} - (! return' {result}) ] - + constant b : t_IterMut'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any - [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} - (! {false} - any) ] - + constant bc : Seq.seq (t_K'0, borrowed t_V'0) - use prelude.prelude.Intrinsic + constant c : t_IterMut'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'2 self + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 190 4 190 90] (a : t_IterMut'0) (ab : Seq.seq (t_K'0, borrowed t_V'0)) (b : t_IterMut'0) (bc : Seq.seq (t_K'0, borrowed t_V'0)) (c : t_IterMut'0) : () + + + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__set_produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 82 20 82 108 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 83 20 83 98 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sseq8 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfset11 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'3 self + type t_I'0 - meta "compute_max_steps" 1000000 - - let rec extern_spec_std_cmp_PartialOrd_Rhs_ge_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body 'self_' type invariant] [%#scmp2] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body 'other' type invariant] [%#scmp3] inv'1 other} - (! bb0 - [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] - | bb8 = bb2 - | bb3 = v_Some'0 {_4} - (fun (r0'0:t_Ordering'0) -> - any - [ br0 -> {r0'0 = C_Less'0 } (! bb2) - | br1 -> {r0'0 = C_Equal'0 } (! bb4) - | br2 -> {r0'0 = C_Greater'0 } (! bb4) ] - ) - | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] - | bb4 = bb5 - | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] - | bb6 = return' {_0} ] - ) - [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body ensures] [%#scmp4] result - = ge_log'0 (deep_model'0 self_) (deep_model'1 other)} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_max_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 80 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 80 29 80 30 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 80 41 80 45 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 75 26 75 66 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 76 26 76 63 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 43 26 43 77 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - - use prelude.prelude.Borrow - - type t_Self_'0 - - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'0 self - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_T'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x + use seq.Seq type t_DeepModelTy'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + use set.Fset - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'0 self + function view'0 [#"../../../creusot-contracts/src/model.rs" 17 4 17 34] (self : t_I'0) : Fset.fset t_DeepModelTy'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use set.Fset - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use prelude.prelude.Int - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + use set.Fset - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate contains'1 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset11] Fset.mem e self - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_I'0) (visited : Seq.seq t_T'0) (end' : t_I'0) + = + [%#shash_set7] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'1 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'0 visited x1) \/ contains'1 (view'0 end') x) + /\ (forall x : t_T'0 . contains'0 visited x + -> contains'1 (view'0 start) (deep_model'0 x) /\ not contains'1 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'1 (view'0 end') x + -> contains'1 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'0 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq8] () - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + axiom concat_contains'0_spec : forall _1 : () . [%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function get'0 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq t_T'0) (ix : int) : t_Option'0 + = + [%#sseq10] if 0 <= ix /\ ix < Seq.length self then C_Some'0 (Seq.get self ix) else C_None'0 - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + constant a : t_I'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant ab : Seq.seq t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + constant b : t_I'0 - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + constant bc : Seq.seq t_T'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant c : t_I'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function set_produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + goal vc_set_produces_trans'0 : ([%#shash_set1] set_produces'0 b bc c) + -> ([%#shash_set0] set_produces'0 a ab b) + -> ([%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x = contains'0 a x + \/ contains'0 b x) + -> (let _ = concat_contains'0 () in ([%#shash_set4] forall i : int, x : t_T'0 . Seq.length ab <= i + /\ get'0 (Seq.(++) ab bc) i = C_Some'0 x -> contains'0 bc x) + && (let _ = () in let _ = () in ([%#shash_set5] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in let _ = () in [%#shash_set2] set_produces'0 a (Seq.(++) ab bc) c))) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 102 4 102 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 101 14 101 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 99 4 99 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset4 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_T'0 - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + use seq.Seq - let rec le'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:le 'self' type invariant] inv'1 self} - {[@expl:le 'other' type invariant] inv'1 other} - any - [ return' (result:bool)-> {[%#scmp5] result = le_log'0 (deep_model'1 self) (deep_model'1 other)} - (! return' {result}) ] - + use prelude.prelude.UInt16 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - use prelude.prelude.Intrinsic + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - meta "compute_max_steps" 1000000 + use prelude.prelude.Opaque - let rec extern_spec_std_cmp_Ord_max_body'0 (self_:t_Self_'0) (o:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_max_body 'self_' type invariant] [%#scmp0] inv'0 self_} - {[@expl:extern_spec_std_cmp_Ord_max_body 'o' type invariant] [%#scmp1] inv'0 o} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = le'0 {self_} {o} (fun (_ret':bool) -> [ &_8 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = any [ br0 -> {_8 = false} (! bb8) | br1 -> {_8} (! bb7) ] - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'0 self_} s1 | s1 = -{resolve'0 self_}- s2 | s2 = [ &_0 <- o ] s3 | s3 = bb9 ] - - | bb8 = s0 - [ s0 = {[@expl:type invariant] inv'0 o} s1 | s1 = -{resolve'0 o}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb9 ] - - | bb9 = bb10 - | bb10 = bb11 - | bb11 = return' {_0} ] - ) [ & _0 : t_Self_'0 = any_l () | & self_ : t_Self_'0 = self_ | & o : t_Self_'0 = o | & _8 : bool = any_l () ] - [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_max_body result type invariant] [%#scmp2] inv'0 result} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #0] [%#scmp3] ge_log'0 (deep_model'0 result) (deep_model'0 self_)} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #1] [%#scmp4] ge_log'0 (deep_model'0 result) (deep_model'0 o)} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #2] [%#scmp0] result = self_ \/ result = o} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #3] [%#scmp0] le_log'0 (deep_model'0 self_) (deep_model'0 o) - -> result = o} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #4] [%#scmp0] lt_log'0 (deep_model'0 o) (deep_model'0 self_) - -> result = self_} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_min_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 89 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 89 29 89 30 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 89 41 89 45 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 84 26 84 66 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 85 26 85 63 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 88 26 88 77 - let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant21 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - use prelude.prelude.Borrow + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - type t_Self_'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use prelude.prelude.UIntSize - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant21] inv'0 self + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - type t_DeepModelTy'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel7] deep_model'0 self + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_DeepModelTy'0 - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord20] (x = y) - = (cmp_log'0 x y = C_Equal'0) + use set.Fset - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord18] cmp_log'0 x y = C_Greater'0) - -> ([%#sord19] cmp_log'0 y x = C_Less'0) + use set.Fset - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord16] cmp_log'0 x y = C_Less'0) - -> ([%#sord17] cmp_log'0 y x = C_Greater'0) + use prelude.prelude.Int - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset4] Fset.mem e self - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord13] cmp_log'0 x y - = o) -> ([%#sord14] cmp_log'0 y z = o) -> ([%#sord15] cmp_log'0 x z = o) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord12] cmp_log'0 x x = C_Equal'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) + = + [%#shash_set3] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 89 4 89 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#shash_set2] set_produces'0 self visited o - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + constant self : t_IntoIter'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 102 4 102 26] (self : t_IntoIter'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 109 4 109 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 106 15 106 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 107 15 107 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 108 14 108 42 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 110 8 110 43 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set8 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span shash_set9 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sfset12 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq13 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + use prelude.prelude.UInt16 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + use prelude.prelude.Opaque + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + use prelude.prelude.UIntSize + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } + + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_T'0 + + use seq.Seq + + type t_DeepModelTy'0 + + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset12] Fset.mem e self - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + use seq.Seq + + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq13] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) + = + [%#shash_set9] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 89 4 89 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#shash_set7] set_produces'0 self visited o - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + use seq.Seq - let rec lt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:lt 'self' type invariant] inv'1 self} - {[@expl:lt 'other' type invariant] inv'1 other} - any - [ return' (result:bool)-> {[%#scmp6] result = lt_log'0 (deep_model'1 self) (deep_model'1 other)} - (! return' {result}) ] + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq11] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq10] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x + + function set_produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + = + [%#shash_set8] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) + axiom set_produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq t_T'0, b : t_IntoIter'0, bc : Seq.seq t_T'0, c : t_IntoIter'0 . ([%#shash_set3] set_produces'0 a ab b) + -> ([%#shash_set4] set_produces'0 b bc c) -> ([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) - use prelude.prelude.Intrinsic + constant a : t_IntoIter'0 - meta "compute_max_steps" 1000000 + constant ab : Seq.seq t_T'0 - let rec extern_spec_std_cmp_Ord_min_body'0 (self_:t_Self_'0) (o:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_min_body 'self_' type invariant] [%#scmp0] inv'0 self_} - {[@expl:extern_spec_std_cmp_Ord_min_body 'o' type invariant] [%#scmp1] inv'0 o} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = lt'0 {self_} {o} (fun (_ret':bool) -> [ &_8 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = any [ br0 -> {_8 = false} (! bb8) | br1 -> {_8} (! bb7) ] - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'0 o} s1 | s1 = -{resolve'0 o}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb9 ] - - | bb8 = s0 - [ s0 = {[@expl:type invariant] inv'0 self_} s1 | s1 = -{resolve'0 self_}- s2 | s2 = [ &_0 <- o ] s3 | s3 = bb9 ] - - | bb9 = bb10 - | bb10 = bb11 - | bb11 = return' {_0} ] - ) [ & _0 : t_Self_'0 = any_l () | & self_ : t_Self_'0 = self_ | & o : t_Self_'0 = o | & _8 : bool = any_l () ] - [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_min_body result type invariant] [%#scmp2] inv'0 result} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #0] [%#scmp3] le_log'0 (deep_model'0 result) (deep_model'0 self_)} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #1] [%#scmp4] le_log'0 (deep_model'0 result) (deep_model'0 o)} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #2] [%#scmp0] result = self_ \/ result = o} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #3] [%#scmp0] lt_log'0 (deep_model'0 self_) (deep_model'0 o) - -> result = self_} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #4] [%#scmp5] le_log'0 (deep_model'0 o) (deep_model'0 self_) - -> result = o} - (! return' {result}) ] + constant b : t_IntoIter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 109 4 109 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> (([@expl:set_produces_trans requires #0] [%#shash_set3] set_produces'0 a ab b) + && ([@expl:set_produces_trans requires #1] [%#shash_set4] set_produces'0 b bc c)) + /\ (([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) + -> (let _ = set_produces_trans'0 a ab b bc c in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c)) end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_clamp_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 102 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 102 31 102 34 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 102 42 102 45 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 93 27 93 63 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 102 56 102 60 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 94 26 94 65 - let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 95 26 95 65 - let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 97 16 101 43 - let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 51 26 51 76 - let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 - let%span smodel10 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant24 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 141 4 141 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 140 14 140 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 138 4 138 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset4 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + + use seq.Seq use prelude.prelude.Borrow - type t_Self_'0 + type t_T'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant24] inv'0 self + use prelude.prelude.UInt16 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - type t_DeepModelTy'0 + use prelude.prelude.Opaque - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel10] deep_model'0 self + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord23] (x = y) - = (cmp_log'0 x y = C_Equal'0) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord21] cmp_log'0 x y = C_Greater'0) - -> ([%#sord22] cmp_log'0 y x = C_Less'0) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord19] cmp_log'0 x y = C_Less'0) - -> ([%#sord20] cmp_log'0 y x = C_Greater'0) + type t_DeepModelTy'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 120 4 120 33] (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord16] cmp_log'0 x y - = o) -> ([%#sord17] cmp_log'0 y z = o) -> ([%#sord18] cmp_log'0 x z = o) + use set.Fset - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord15] cmp_log'0 x x = C_Equal'0 + use prelude.prelude.Int - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use set.Fset - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset4] Fset.mem e self - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'1 self - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq6] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) + = + [%#shash_set3] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 128 4 128 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set2] set_produces'0 self visited o - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + constant self : t_Iter'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 141 4 141 26] (self : t_Iter'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 148 4 148 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 145 15 145 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 146 15 146 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 147 14 147 42 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 149 8 149 43 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set8 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span shash_set9 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sfset12 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel13 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq14 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + use prelude.prelude.UInt16 - let rec gt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:gt 'self' type invariant] inv'1 self} - {[@expl:gt 'other' type invariant] inv'1 other} - any - [ return' (result:bool)-> {[%#scmp8] result = gt_log'0 (deep_model'1 self) (deep_model'1 other)} - (! return' {result}) ] - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - let rec lt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:lt 'self' type invariant] inv'1 self} - {[@expl:lt 'other' type invariant] inv'1 other} - any - [ return' (result:bool)-> {[%#scmp9] result = lt_log'0 (deep_model'1 self) (deep_model'1 other)} - (! return' {result}) ] + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + use prelude.prelude.UIntSize + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq + + type t_DeepModelTy'0 + + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 120 4 120 33] (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 - use prelude.prelude.Intrinsic + use set.Fset - meta "compute_max_steps" 1000000 + use seq.Seq - let rec extern_spec_std_cmp_Ord_clamp_body'0 (self_:t_Self_'0) (min:t_Self_'0) (max:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_clamp_body 'self_' type invariant] [%#scmp0] inv'0 self_} - {[@expl:extern_spec_std_cmp_Ord_clamp_body 'min' type invariant] [%#scmp1] inv'0 min} - {[@expl:extern_spec_std_cmp_Ord_clamp_body 'max' type invariant] [%#scmp2] inv'0 max} - {[@expl:extern_spec_std_cmp_Ord_clamp_body requires] [%#scmp3] le_log'0 (deep_model'0 min) (deep_model'0 max)} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = gt'0 {self_} {max} (fun (_ret':bool) -> [ &_9 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = any [ br0 -> {_9 = false} (! bb8) | br1 -> {_9} (! bb7) ] - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'0 min} s1 - | s1 = -{resolve'0 min}- s2 - | s2 = {[@expl:type invariant] inv'0 self_} s3 - | s3 = -{resolve'0 self_}- s4 - | s4 = [ &_0 <- max ] s5 - | s5 = bb13 ] - - | bb8 = s0 - [ s0 = {[@expl:type invariant] inv'0 max} s1 - | s1 = -{resolve'0 max}- s2 - | s2 = lt'0 {self_} {min} (fun (_ret':bool) -> [ &_12 <- _ret' ] s3) - | s3 = bb9 ] - - | bb9 = any [ br0 -> {_12 = false} (! bb11) | br1 -> {_12} (! bb10) ] - | bb10 = s0 - [ s0 = {[@expl:type invariant] inv'0 self_} s1 - | s1 = -{resolve'0 self_}- s2 - | s2 = [ &_0 <- min ] s3 - | s3 = bb12 ] - - | bb11 = s0 - [ s0 = {[@expl:type invariant] inv'0 min} s1 | s1 = -{resolve'0 min}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb12 ] - - | bb12 = bb13 - | bb13 = bb14 - | bb14 = bb15 - | bb15 = bb16 - | bb16 = return' {_0} ] - ) - [ & _0 : t_Self_'0 = any_l () - | & self_ : t_Self_'0 = self_ - | & min : t_Self_'0 = min - | & max : t_Self_'0 = max - | & _9 : bool = any_l () - | & _12 : bool = any_l () ] - - [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_clamp_body result type invariant] [%#scmp4] inv'0 result} - {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #0] [%#scmp5] ge_log'0 (deep_model'0 result) (deep_model'0 min)} - {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #1] [%#scmp6] le_log'0 (deep_model'0 result) (deep_model'0 max)} - {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #2] [%#scmp0] result = self_ \/ result = min \/ result = max} - {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #3] [%#scmp7] if gt_log'0 (deep_model'0 self_) (deep_model'0 max) then - result = max - else - if lt_log'0 (deep_model'0 self_) (deep_model'0 min) then result = min else result = self_ - } - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_max_body [#"../../../creusot-contracts/src/std/cmp.rs" 112 12 113 66] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 112 22 112 24 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 112 29 112 31 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 112 39 112 40 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 107 22 107 60 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 108 22 108 60 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 109 22 109 50 - let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 110 22 110 73 - let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 111 22 111 72 - let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 75 26 75 66 - let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 76 26 76 63 - let%span scmp10 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Int - type t_T'0 + use set.Fset - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset12] Fset.mem e self - type t_DeepModelTy'0 + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel13] deep_model'1 self - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq14] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) + = + [%#shash_set9] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord23] (x = y) - = (cmp_log'0 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 128 4 128 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set7] set_produces'0 self visited o - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord21] cmp_log'0 x y = C_Greater'0) - -> ([%#sord22] cmp_log'0 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq11] () - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord19] cmp_log'0 x y = C_Less'0) - -> ([%#sord20] cmp_log'0 y x = C_Greater'0) + axiom concat_contains'0_spec : forall _1 : () . [%#sseq10] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + function set_produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + = + [%#shash_set8] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord16] cmp_log'0 x y - = o) -> ([%#sord17] cmp_log'0 y z = o) -> ([%#sord18] cmp_log'0 x z = o) + axiom set_produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq t_T'0, b : t_Iter'0, bc : Seq.seq t_T'0, c : t_Iter'0 . ([%#shash_set3] set_produces'0 a ab b) + -> ([%#shash_set4] set_produces'0 b bc c) -> ([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + constant a : t_Iter'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord15] cmp_log'0 x x = C_Equal'0 + constant ab : Seq.seq t_T'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant b : t_Iter'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + constant bc : Seq.seq t_T'0 - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + constant c : t_Iter'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 148 4 148 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> (([@expl:set_produces_trans requires #0] [%#shash_set3] set_produces'0 a ab b) + && ([@expl:set_produces_trans requires #1] [%#shash_set4] set_produces'0 b bc c)) + /\ (([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) + -> (let _ = set_produces_trans'0 a ab b bc c in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c)) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 215 14 215 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 213 4 213 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset4 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + use seq.Seq - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use prelude.prelude.Borrow - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_T'0 - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use prelude.prelude.UInt16 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - let rec max'0 (self:t_T'0) (other:t_T'0) (return' (ret:t_T'0))= {[@expl:max 'self' type invariant] inv'0 self} - {[@expl:max 'other' type invariant] inv'0 other} - any - [ return' (result:t_T'0)-> {inv'0 result} - {[%#scmp8] ge_log'0 (deep_model'0 result) (deep_model'0 self)} - {[%#scmp9] ge_log'0 (deep_model'0 result) (deep_model'0 other)} - {[%#scmp10] result = self \/ result = other} - {[%#scmp10] le_log'0 (deep_model'0 self) (deep_model'0 other) -> result = other} - {[%#scmp10] lt_log'0 (deep_model'0 other) (deep_model'0 self) -> result = self} - (! return' {result}) ] - + use prelude.prelude.Opaque - use prelude.prelude.Intrinsic + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - meta "compute_max_steps" 1000000 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - let rec extern_spec_std_cmp_max_body'0 (v1:t_T'0) (v2:t_T'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_cmp_max_body 'v1' type invariant] [%#scmp0] inv'0 v1} - {[@expl:extern_spec_std_cmp_max_body 'v2' type invariant] [%#scmp1] inv'0 v2} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = max'0 {v1} {v2} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = bb7 - | bb7 = bb8 - | bb8 = return' {_0} ] - ) [ & _0 : t_T'0 = any_l () | & v1 : t_T'0 = v1 | & v2 : t_T'0 = v2 ] - [ return' (result:t_T'0)-> {[@expl:extern_spec_std_cmp_max_body result type invariant] [%#scmp2] inv'0 result} - {[@expl:extern_spec_std_cmp_max_body ensures #0] [%#scmp3] ge_log'0 (deep_model'0 result) (deep_model'0 v1)} - {[@expl:extern_spec_std_cmp_max_body ensures #1] [%#scmp4] ge_log'0 (deep_model'0 result) (deep_model'0 v2)} - {[@expl:extern_spec_std_cmp_max_body ensures #2] [%#scmp5] result = v1 \/ result = v2} - {[@expl:extern_spec_std_cmp_max_body ensures #3] [%#scmp6] le_log'0 (deep_model'0 v1) (deep_model'0 v2) - -> result = v2} - {[@expl:extern_spec_std_cmp_max_body ensures #4] [%#scmp7] lt_log'0 (deep_model'0 v2) (deep_model'0 v1) - -> result = v1} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_min_body [#"../../../creusot-contracts/src/std/cmp.rs" 123 12 124 66] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 123 22 123 24 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 123 29 123 31 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 123 39 123 40 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 118 22 118 60 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 119 22 119 60 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 120 22 120 50 - let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 121 22 121 72 - let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 122 22 122 73 - let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 84 26 84 66 - let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 85 26 85 63 - let%span scmp10 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp11 = "../../../creusot-contracts/src/std/cmp.rs" 88 26 88 77 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord24 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - type t_T'0 + use prelude.prelude.UIntSize - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_DeepModelTy'0 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_S'0 - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord24] (x = y) - = (cmp_log'0 x y = C_Equal'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord22] cmp_log'0 x y = C_Greater'0) - -> ([%#sord23] cmp_log'0 y x = C_Less'0) + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord20] cmp_log'0 x y = C_Less'0) - -> ([%#sord21] cmp_log'0 y x = C_Greater'0) + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord17] cmp_log'0 x y - = o) -> ([%#sord18] cmp_log'0 y z = o) -> ([%#sord19] cmp_log'0 x z = o) + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + type t_DeepModelTy'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord16] cmp_log'0 x x = C_Equal'0 + use set.Fset - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 195 4 195 33] (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use set.Fset - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord15] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use prelude.prelude.Int - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset4] Fset.mem e self - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'1 self - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq6] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) + = + [%#shash_set3] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 203 4 203 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) + = + [%#shash_set2] set_produces'0 self visited o - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + constant self : t_Intersection'0 - let rec min'0 (self:t_T'0) (other:t_T'0) (return' (ret:t_T'0))= {[@expl:min 'self' type invariant] inv'0 self} - {[@expl:min 'other' type invariant] inv'0 other} - any - [ return' (result:t_T'0)-> {inv'0 result} - {[%#scmp8] le_log'0 (deep_model'0 result) (deep_model'0 self)} - {[%#scmp9] le_log'0 (deep_model'0 result) (deep_model'0 other)} - {[%#scmp10] result = self \/ result = other} - {[%#scmp10] lt_log'0 (deep_model'0 self) (deep_model'0 other) -> result = self} - {[%#scmp11] le_log'0 (deep_model'0 other) (deep_model'0 self) -> result = other} - (! return' {result}) ] + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 26] (self : t_Intersection'0) : () - use prelude.prelude.Intrinsic - - meta "compute_max_steps" 1000000 - - let rec extern_spec_std_cmp_min_body'0 (v1:t_T'0) (v2:t_T'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_cmp_min_body 'v1' type invariant] [%#scmp0] inv'0 v1} - {[@expl:extern_spec_std_cmp_min_body 'v2' type invariant] [%#scmp1] inv'0 v2} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = min'0 {v1} {v2} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = bb7 - | bb7 = bb8 - | bb8 = return' {_0} ] - ) [ & _0 : t_T'0 = any_l () | & v1 : t_T'0 = v1 | & v2 : t_T'0 = v2 ] - [ return' (result:t_T'0)-> {[@expl:extern_spec_std_cmp_min_body result type invariant] [%#scmp2] inv'0 result} - {[@expl:extern_spec_std_cmp_min_body ensures #0] [%#scmp3] le_log'0 (deep_model'0 result) (deep_model'0 v1)} - {[@expl:extern_spec_std_cmp_min_body ensures #1] [%#scmp4] le_log'0 (deep_model'0 result) (deep_model'0 v2)} - {[@expl:extern_spec_std_cmp_min_body ensures #2] [%#scmp5] result = v1 \/ result = v2} - {[@expl:extern_spec_std_cmp_min_body ensures #3] [%#scmp6] lt_log'0 (deep_model'0 v1) (deep_model'0 v2) - -> result = v1} - {[@expl:extern_spec_std_cmp_min_body ensures #4] [%#scmp7] le_log'0 (deep_model'0 v2) (deep_model'0 v1) - -> result = v2} - (! return' {result}) ] - + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_le_log [#"../../../creusot-contracts/src/std/cmp.rs" 156 4 156 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 155 14 155 64 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 153 4 153 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 223 4 223 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 220 15 220 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 221 15 221 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 222 14 222 42 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 224 8 224 43 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span shash_set8 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span shash_set9 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sfset12 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel13 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq14 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_T'0 + use prelude.prelude.UInt16 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.Borrow - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_S'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_T'0 - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_DeepModelTy'0 - axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + use set.Fset - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 195 4 195 33] (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + [%#sfset12] Fset.mem e self - constant x : t_Reverse'0 + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - constant y : t_Reverse'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel13] deep_model'1 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 156 4 156 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + use seq.Seq + + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq14] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) + = + [%#shash_set9] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - goal vc_cmp_le_log'0 : [%#scmp0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_lt_log [#"../../../creusot-contracts/src/std/cmp.rs" 161 4 161 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 160 14 160 61 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 158 4 158 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 203 4 203 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) + + = + [%#shash_set7] set_produces'0 self visited o - type t_T'0 + use seq.Seq - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq11] () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom concat_contains'0_spec : forall _1 : () . [%#sseq10] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function set_produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () + = + [%#shash_set8] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + axiom set_produces_trans'0_spec : forall a : t_Intersection'0, ab : Seq.seq t_T'0, b : t_Intersection'0, bc : Seq.seq t_T'0, c : t_Intersection'0 . ([%#shash_set3] set_produces'0 a ab b) + -> ([%#shash_set4] set_produces'0 b bc c) -> ([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant a : t_Intersection'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + constant ab : Seq.seq t_T'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + constant b : t_Intersection'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + constant bc : Seq.seq t_T'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + constant c : t_Intersection'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 223 4 223 90] (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> (([@expl:set_produces_trans requires #0] [%#shash_set3] set_produces'0 a ab b) + && ([@expl:set_produces_trans requires #1] [%#shash_set4] set_produces'0 b bc c)) + /\ (([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) + -> (let _ = set_produces_trans'0 a ab b bc c in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c)) +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialEq_Rhs_ne_body [#"../../../creusot-contracts/src/std/cmp.rs" 10 31 18 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 18 29 18 32 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 17 26 17 75 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sinvariant5 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Borrow - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_Self_'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant5] inv'4 self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant5] inv'0 self - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + axiom inv_axiom'2 [@rewrite] : forall x : t_Self_'0 [inv'2 x] . inv'2 x = invariant'2 x - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_Rhs'0 - axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant5] inv'5 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant5] inv'1 self - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool - - = - [%#sord2] cmp_log'0 self o = C_Less'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - constant x : t_Reverse'0 + axiom inv_axiom'3 [@rewrite] : forall x : t_Rhs'0 [inv'3 x] . inv'3 x = invariant'3 x - constant y : t_Reverse'0 - - function cmp_lt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 161 4 161 35] (x : t_Reverse'0) (y : t_Reverse'0) : () - - - goal vc_cmp_lt_log'0 : [%#scmp0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_ge_log [#"../../../creusot-contracts/src/std/cmp.rs" 166 4 166 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 165 14 165 61 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 163 4 163 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + type t_DeepModelTy'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function deep_model'4 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'4 self - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'0 self - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + function deep_model'5 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'5 self - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + let rec eq'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:eq 'self' type invariant] inv'2 self} + {[@expl:eq 'other' type invariant] inv'3 other} + any [ return' (result:bool)-> {[%#scmp3] result = (deep_model'2 self = deep_model'3 other)} (! return' {result}) ] - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Intrinsic - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + meta "compute_max_steps" 1000000 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + let rec extern_spec_std_cmp_PartialEq_Rhs_ne_body'0 (self_:t_Self_'0) (rhs:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body 'self_' type invariant] [%#scmp0] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body 'rhs' type invariant] [%#scmp1] inv'1 rhs} + (! bb0 + [ bb0 = s0 [ s0 = eq'0 {self_} {rhs} (fun (_ret':bool) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- not _4 ] s1 | s1 = return' {_0} ] ] + ) [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & rhs : t_Rhs'0 = rhs | & _4 : bool = any_l () ] + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body ensures] [%#scmp2] result + = (deep_model'0 self_ <> deep_model'1 rhs)} + (! return' {result}) ] +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_lt_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 36 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 39 29 39 34 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 38 48 38 52 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 36 29 36 34 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Borrow - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_Self_'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'2 self - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_Rhs'0 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant20] inv'3 self - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_DeepModelTy'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - = - [%#sord2] cmp_log'0 self o <> C_Less'0 - constant x : t_Reverse'0 - - constant y : t_Reverse'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 166 4 166 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_cmp_ge_log'0 : [%#scmp0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_gt_log [#"../../../creusot-contracts/src/std/cmp.rs" 171 4 171 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 170 14 170 64 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 168 4 168 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_Ordering'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} + {[@expl:partial_cmp 'other' type invariant] inv'1 other} + any + [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} + (! return' {result}) ] + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any + [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} + (! {false} + any) ] + - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use prelude.prelude.Intrinsic - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'2 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'3 self - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + meta "compute_max_steps" 1000000 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + let rec extern_spec_std_cmp_PartialOrd_Rhs_lt_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body 'self_' type invariant] [%#scmp2] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body 'other' type invariant] [%#scmp3] inv'1 other} + (! bb0 + [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] + | bb8 = bb2 + | bb3 = v_Some'0 {_4} + (fun (r0'0:t_Ordering'0) -> + any + [ br0 -> {r0'0 = C_Less'0 } (! bb4) + | br1 -> {r0'0 = C_Equal'0 } (! bb2) + | br2 -> {r0'0 = C_Greater'0 } (! bb2) ] + ) + | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] + | bb4 = bb5 + | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - = - [%#sord2] cmp_log'0 self o = C_Greater'0 - - constant x : t_Reverse'0 - - constant y : t_Reverse'0 - - function cmp_gt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 171 4 171 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body ensures] [%#scmp4] result + = lt_log'0 (deep_model'0 self_) (deep_model'1 other)} + (! return' {result}) ] - - goal vc_cmp_gt_log'0 : [%#scmp0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__refl [#"../../../creusot-contracts/src/std/cmp.rs" 176 4 176 20] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 175 14 175 45 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 173 4 173 10 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_le_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 44 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 47 29 47 34 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 46 66 46 70 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 44 29 44 34 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 43 26 43 77 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - type t_T'0 + use prelude.prelude.Borrow - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_Self_'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'2 self - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_Rhs'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant20] inv'3 self - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + type t_DeepModelTy'0 - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 + - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - constant x : t_Reverse'0 - - function refl'0 [#"../../../creusot-contracts/src/std/cmp.rs" 176 4 176 20] (x : t_Reverse'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - goal vc_refl'0 : [%#scmp0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__trans [#"../../../creusot-contracts/src/std/cmp.rs" 183 4 183 52] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 180 15 180 32 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 181 15 181 32 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 182 14 182 31 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 178 4 178 10 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - type t_T'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_Ordering'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} + {[@expl:partial_cmp 'other' type invariant] inv'1 other} + any + [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} + (! return' {result}) ] - axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any + [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} + (! {false} + any) ] + - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Intrinsic - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'2 self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'3 self - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + meta "compute_max_steps" 1000000 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + let rec extern_spec_std_cmp_PartialOrd_Rhs_le_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body 'self_' type invariant] [%#scmp2] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body 'other' type invariant] [%#scmp3] inv'1 other} + (! bb0 + [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] + | bb8 = bb2 + | bb3 = v_Some'0 {_4} + (fun (r0'0:t_Ordering'0) -> + any + [ br0 -> {r0'0 = C_Less'0 } (! bb4) + | br1 -> {r0'0 = C_Equal'0 } (! bb4) + | br2 -> {r0'0 = C_Greater'0 } (! bb2) ] + ) + | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] + | bb4 = bb5 + | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] + + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body ensures] [%#scmp4] result + = le_log'0 (deep_model'0 self_) (deep_model'1 other)} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_gt_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 52 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 55 29 55 34 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 54 51 54 55 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 52 29 52 34 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 51 26 51 76 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_Self_'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'2 self - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp4] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - constant x : t_Reverse'0 + type t_Rhs'0 - constant y : t_Reverse'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - constant z : t_Reverse'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant20] inv'3 self - constant o : t_Ordering'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function trans'0 [#"../../../creusot-contracts/src/std/cmp.rs" 183 4 183 52] (x : t_Reverse'0) (y : t_Reverse'0) (z : t_Reverse'0) (o : t_Ordering'0) : () - + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - goal vc_trans'0 : ([%#scmp1] cmp_log'0 y z = o) -> ([%#scmp0] cmp_log'0 x y = o) -> ([%#scmp2] cmp_log'0 x z = o) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym1 [#"../../../creusot-contracts/src/std/cmp.rs" 189 4 189 33] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 187 15 187 45 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 188 14 188 47 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 185 4 185 10 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_DeepModelTy'0 - type t_T'0 + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) - - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - constant x : t_Reverse'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant y : t_Reverse'0 + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/std/cmp.rs" 189 4 189 33] (x : t_Reverse'0) (y : t_Reverse'0) : () + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - goal vc_antisym1'0 : ([%#scmp0] cmp_log'0 x y = C_Less'0) -> ([%#scmp1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym2 [#"../../../creusot-contracts/src/std/cmp.rs" 195 4 195 33] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 193 15 193 48 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 194 14 194 44 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 191 4 191 10 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_Ordering'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} + {[@expl:partial_cmp 'other' type invariant] inv'1 other} + any + [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} + (! return' {result}) ] + - axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any + [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} + (! {false} + any) ] + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Intrinsic - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'2 self - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'3 self - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + meta "compute_max_steps" 1000000 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + let rec extern_spec_std_cmp_PartialOrd_Rhs_gt_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body 'self_' type invariant] [%#scmp2] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body 'other' type invariant] [%#scmp3] inv'1 other} + (! bb0 + [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] + | bb8 = bb2 + | bb3 = v_Some'0 {_4} + (fun (r0'0:t_Ordering'0) -> + any + [ br0 -> {r0'0 = C_Less'0 } (! bb2) + | br1 -> {r0'0 = C_Equal'0 } (! bb2) + | br2 -> {r0'0 = C_Greater'0 } (! bb4) ] + ) + | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] + | bb4 = bb5 + | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] + + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body ensures] [%#scmp4] result + = gt_log'0 (deep_model'0 self_) (deep_model'1 other)} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_ge_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 60 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 63 29 63 34 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 62 69 62 73 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 60 29 60 34 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 59 26 59 77 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Borrow - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_Self_'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'2 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Rhs'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - constant x : t_Reverse'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant20] inv'3 self - constant y : t_Reverse'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function antisym2'0 [#"../../../creusot-contracts/src/std/cmp.rs" 195 4 195 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - goal vc_antisym2'0 : ([%#scmp0] cmp_log'0 x y = C_Greater'0) -> ([%#scmp1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__eq_cmp [#"../../../creusot-contracts/src/std/cmp.rs" 200 4 200 31] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 199 14 199 59 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 197 4 197 10 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_DeepModelTy'0 - type t_T'0 + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) - - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - constant x : t_Reverse'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant y : t_Reverse'0 + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/std/cmp.rs" 200 4 200 31] (x : t_Reverse'0) (y : t_Reverse'0) : () + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - goal vc_eq_cmp'0 : [%#scmp0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_refl [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (* as std::iter::Iterator> *) - let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 177 14 177 45 - let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 175 4 175 10 - let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - use prelude.prelude.Borrow + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_T'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - use prelude.prelude.Opaque + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Iter'1 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - type t_Iter'0 = - { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_Ordering'0) - use prelude.prelude.Slice + let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} + {[@expl:partial_cmp 'other' type invariant] inv'1 other} + any + [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} + (! return' {result}) ] + - function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any + [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} + (! {false} + any) ] + - use seq.Seq + use prelude.prelude.Intrinsic - use seq.Seq + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'2 self - use seq.Seq + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'3 self - use prelude.prelude.UIntSize + meta "compute_max_steps" 1000000 - constant v_MAX'0 : usize = (18446744073709551615 : usize) - - use prelude.prelude.UIntSize - - use prelude.prelude.Int - - use prelude.prelude.Slice - - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice8] view'2 self = Slice.id self) - - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel5] view'2 self - - use seq.Seq - - use seq.Seq - - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + let rec extern_spec_std_cmp_PartialOrd_Rhs_ge_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body 'self_' type invariant] [%#scmp2] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body 'other' type invariant] [%#scmp3] inv'1 other} + (! bb0 + [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] + | bb8 = bb2 + | bb3 = v_Some'0 {_4} + (fun (r0'0:t_Ordering'0) -> + any + [ br0 -> {r0'0 = C_Less'0 } (! bb2) + | br1 -> {r0'0 = C_Equal'0 } (! bb4) + | br2 -> {r0'0 = C_Greater'0 } (! bb4) ] + ) + | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] + | bb4 = bb5 + | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - = - [%#sindex6] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - - use seq.Seq - - predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body ensures] [%#scmp4] result + = ge_log'0 (deep_model'0 self_) (deep_model'1 other)} + (! return' {result}) ] - = - [%#sdeque2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - - constant self : t_Iter'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (self : t_Iter'0) : () - - goal vc_produces_refl'0 : [%#sdeque0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_trans [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (* as std::iter::Iterator> *) - let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 182 15 182 32 - let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 183 15 183 32 - let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 184 14 184 42 - let%span sdeque3 = "../../../creusot-contracts/src/std/deque.rs" 180 4 180 10 - let%span sdeque4 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - - use prelude.prelude.Opaque - - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } - - type t_Iter'1 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - - type t_Iter'0 = - { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_max_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 80 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 80 29 80 30 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 80 41 80 45 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 75 26 75 66 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 76 26 76 63 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 43 26 43 77 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 use prelude.prelude.Borrow - type t_T'0 - - use seq.Seq - - use prelude.prelude.Slice - - function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 - - use seq.Seq - - use seq.Seq - - use seq.Seq - - use prelude.prelude.UIntSize - - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_Self_'0 - use prelude.prelude.UIntSize + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - use prelude.prelude.Int + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'0 self - use prelude.prelude.Slice + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice10] view'2 self = Slice.id self) + type t_DeepModelTy'0 - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel7] view'2 self + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - use seq.Seq + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'0 self - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - = - [%#sindex8] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - - use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - = - [%#sdeque4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant a : t_Iter'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - constant ab : Seq.seq t_T'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant b : t_Iter'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - constant bc : Seq.seq t_T'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant c : t_Iter'0 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - goal vc_produces_trans'0 : ([%#sdeque1] produces'0 b bc c) - -> ([%#sdeque0] produces'0 a ab b) -> ([%#sdeque2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_refl [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (* as std::iter::Iterator> *) - let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 57 14 57 45 - let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 55 4 55 10 - let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 - let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - type t_T'0 + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_I'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Cloned'0 = - { t_Cloned__it'0: t_I'0 } + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - use prelude.prelude.Borrow + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x - = match x with - | {t_Cloned__it'0 = it} -> inv'1 it - end + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned3] inv'0 self -> inv'1 (iter'0 self) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) + let rec le'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:le 'self' type invariant] inv'1 self} + {[@expl:le 'other' type invariant] inv'1 other} + any + [ return' (result:bool)-> {[%#scmp5] result = le_log'0 (deep_model'1 self) (deep_model'1 other)} + (! return' {result}) ] - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.Intrinsic - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self - - use seq.Seq - - use seq.Seq - - use prelude.prelude.Int - - use seq.Seq - - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + let rec extern_spec_std_cmp_Ord_max_body'0 (self_:t_Self_'0) (o:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_max_body 'self_' type invariant] [%#scmp0] inv'0 self_} + {[@expl:extern_spec_std_cmp_Ord_max_body 'o' type invariant] [%#scmp1] inv'0 o} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = le'0 {self_} {o} (fun (_ret':bool) -> [ &_8 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = any [ br0 -> {_8 = false} (! bb8) | br1 -> {_8} (! bb7) ] + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'0 self_} s1 | s1 = -{resolve'0 self_}- s2 | s2 = [ &_0 <- o ] s3 | s3 = bb9 ] + + | bb8 = s0 + [ s0 = {[@expl:type invariant] inv'0 o} s1 | s1 = -{resolve'0 o}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb9 ] + + | bb9 = bb10 + | bb10 = bb11 + | bb11 = return' {_0} ] + ) [ & _0 : t_Self_'0 = any_l () | & self_ : t_Self_'0 = self_ | & o : t_Self_'0 = o | & _8 : bool = any_l () ] + [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_max_body result type invariant] [%#scmp2] inv'0 result} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #0] [%#scmp3] ge_log'0 (deep_model'0 result) (deep_model'0 self_)} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #1] [%#scmp4] ge_log'0 (deep_model'0 result) (deep_model'0 o)} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #2] [%#scmp0] result = self_ \/ result = o} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #3] [%#scmp0] le_log'0 (deep_model'0 self_) (deep_model'0 o) + -> result = o} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #4] [%#scmp0] lt_log'0 (deep_model'0 o) (deep_model'0 self_) + -> result = self_} + (! return' {result}) ] - = - [%#scloned2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - - constant self : t_Cloned'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (self : t_Cloned'0) : () - - goal vc_produces_refl'0 : [%#scloned0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_trans [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (* as std::iter::Iterator> *) - let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 62 15 62 32 - let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 63 15 63 32 - let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 64 14 64 42 - let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 60 4 60 10 - let%span scloned4 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 - let%span scloned5 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - type t_I'0 - - type t_Cloned'0 = - { t_Cloned__it'0: t_I'0 } - - type t_T'0 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_min_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 89 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 89 29 89 30 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 89 41 89 45 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 84 26 84 66 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 85 26 85 63 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 88 26 88 77 + let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant21 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 use prelude.prelude.Borrow - use seq.Seq + type t_Self_'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant21] inv'0 self - axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x - = match x with - | {t_Cloned__it'0 = it} -> inv'1 it - end + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x - axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned5] inv'0 self -> inv'1 (iter'0 self) + type t_DeepModelTy'0 - use seq.Seq + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - use seq.Seq + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel7] deep_model'0 self - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self - - use seq.Seq - - use seq.Seq - - use prelude.prelude.Int - - use seq.Seq - - use seq.Seq - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - = - [%#scloned4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - - use seq.Seq - - constant a : t_Cloned'0 - - constant ab : Seq.seq t_T'0 - - constant b : t_Cloned'0 - - constant bc : Seq.seq t_T'0 - constant c : t_Cloned'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord20] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (a : t_Cloned'0) (ab : Seq.seq t_T'0) (b : t_Cloned'0) (bc : Seq.seq t_T'0) (c : t_Cloned'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_produces_trans'0 : ([%#scloned1] produces'0 b bc c) - -> ([%#scloned0] produces'0 a ab b) -> ([%#scloned2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_refl [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (* as std::iter::Iterator> *) - let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 - let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 55 4 55 10 - let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 - let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_T'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord18] cmp_log'0 x y = C_Greater'0) + -> ([%#sord19] cmp_log'0 y x = C_Less'0) - use seq.Seq + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_I'0 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord16] cmp_log'0 x y = C_Less'0) + -> ([%#sord17] cmp_log'0 y x = C_Greater'0) - type t_Copied'0 = - { t_Copied__it'0: t_I'0 } + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - use prelude.prelude.Borrow + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord13] cmp_log'0 x y + = o) -> ([%#sord14] cmp_log'0 y z = o) -> ([%#sord15] cmp_log'0 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord12] cmp_log'0 x x = C_Equal'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x - = match x with - | {t_Copied__it'0 = it} -> inv'1 it - end + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied3] inv'0 self -> inv'1 (iter'0 self) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - use seq.Seq + let rec lt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:lt 'self' type invariant] inv'1 self} + {[@expl:lt 'other' type invariant] inv'1 other} + any + [ return' (result:bool)-> {[%#scmp6] result = lt_log'0 (deep_model'1 self) (deep_model'1 other)} + (! return' {result}) ] + - use prelude.prelude.Int + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) - use seq.Seq + use prelude.prelude.Intrinsic - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) - - = - [%#scopied2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - - constant self : t_Copied'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (self : t_Copied'0) : () - - goal vc_produces_refl'0 : [%#scopied0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + let rec extern_spec_std_cmp_Ord_min_body'0 (self_:t_Self_'0) (o:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_min_body 'self_' type invariant] [%#scmp0] inv'0 self_} + {[@expl:extern_spec_std_cmp_Ord_min_body 'o' type invariant] [%#scmp1] inv'0 o} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = lt'0 {self_} {o} (fun (_ret':bool) -> [ &_8 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = any [ br0 -> {_8 = false} (! bb8) | br1 -> {_8} (! bb7) ] + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'0 o} s1 | s1 = -{resolve'0 o}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb9 ] + + | bb8 = s0 + [ s0 = {[@expl:type invariant] inv'0 self_} s1 | s1 = -{resolve'0 self_}- s2 | s2 = [ &_0 <- o ] s3 | s3 = bb9 ] + + | bb9 = bb10 + | bb10 = bb11 + | bb11 = return' {_0} ] + ) [ & _0 : t_Self_'0 = any_l () | & self_ : t_Self_'0 = self_ | & o : t_Self_'0 = o | & _8 : bool = any_l () ] + [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_min_body result type invariant] [%#scmp2] inv'0 result} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #0] [%#scmp3] le_log'0 (deep_model'0 result) (deep_model'0 self_)} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #1] [%#scmp4] le_log'0 (deep_model'0 result) (deep_model'0 o)} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #2] [%#scmp0] result = self_ \/ result = o} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #3] [%#scmp0] lt_log'0 (deep_model'0 self_) (deep_model'0 o) + -> result = self_} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #4] [%#scmp5] le_log'0 (deep_model'0 o) (deep_model'0 self_) + -> result = o} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_trans [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (* as std::iter::Iterator> *) - let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 - let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 - let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 - let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 60 4 60 10 - let%span scopied4 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 - let%span scopied5 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - type t_I'0 - - type t_Copied'0 = - { t_Copied__it'0: t_I'0 } - - type t_T'0 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_clamp_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 102 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 102 31 102 34 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 102 42 102 45 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 93 27 93 63 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 102 56 102 60 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 94 26 94 65 + let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 95 26 95 65 + let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 97 16 101 43 + let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 51 26 51 76 + let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 + let%span smodel10 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant24 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 use prelude.prelude.Borrow - use seq.Seq + type t_Self_'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant24] inv'0 self - axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x - = match x with - | {t_Copied__it'0 = it} -> inv'1 it - end + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x - axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'0 self -> inv'1 (iter'0 self) + type t_DeepModelTy'0 - use seq.Seq + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - use seq.Seq + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel10] deep_model'0 self - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self - - use seq.Seq - - use seq.Seq - - use prelude.prelude.Int - - use seq.Seq - - use seq.Seq - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - = - [%#scopied4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - - use seq.Seq - constant a : t_Copied'0 - - constant ab : Seq.seq t_T'0 - - constant b : t_Copied'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord23] (x = y) + = (cmp_log'0 x y = C_Equal'0) - constant bc : Seq.seq t_T'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant c : t_Copied'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord21] cmp_log'0 x y = C_Greater'0) + -> ([%#sord22] cmp_log'0 y x = C_Less'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_produces_trans'0 : ([%#scopied1] produces'0 b bc c) - -> ([%#scopied0] produces'0 a ab b) -> ([%#scopied2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_refl [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (* as std::iter::Iterator> *) - let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 18 14 18 45 - let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 16 4 16 10 - let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord19] cmp_log'0 x y = C_Less'0) + -> ([%#sord20] cmp_log'0 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - type t_T'0 + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord16] cmp_log'0 x y + = o) -> ([%#sord17] cmp_log'0 y z = o) -> ([%#sord18] cmp_log'0 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - type t_Empty'0 = - { t_Empty__0'0: () } + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord15] cmp_log'0 x x = C_Equal'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#sempty2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - - constant self : t_Empty'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (self : t_Empty'0) : () - goal vc_produces_refl'0 : [%#sempty0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_trans [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (* as std::iter::Iterator> *) - let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 23 15 23 32 - let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 24 15 24 32 - let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 25 14 25 42 - let%span sempty3 = "../../../creusot-contracts/src/std/iter/empty.rs" 21 4 21 10 - let%span sempty4 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Empty'0 = - { t_Empty__0'0: () } + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - type t_T'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#sempty4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - - use seq.Seq - constant a : t_Empty'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant ab : Seq.seq t_T'0 + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - constant b : t_Empty'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - constant bc : Seq.seq t_T'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant c : t_Empty'0 + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (a : t_Empty'0) (ab : Seq.seq t_T'0) (b : t_Empty'0) (bc : Seq.seq t_T'0) (c : t_Empty'0) : () + let rec gt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:gt 'self' type invariant] inv'1 self} + {[@expl:gt 'other' type invariant] inv'1 other} + any + [ return' (result:bool)-> {[%#scmp8] result = gt_log'0 (deep_model'1 self) (deep_model'1 other)} + (! return' {result}) ] - goal vc_produces_trans'0 : ([%#sempty1] produces'0 b bc c) - -> ([%#sempty0] produces'0 a ab b) -> ([%#sempty2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_refl [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (* as std::iter::Iterator> *) - let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 82 14 82 45 - let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 80 4 80 10 - let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 - let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span senumerate8 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 - - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) - use prelude.prelude.UIntSize + let rec lt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:lt 'self' type invariant] inv'1 self} + {[@expl:lt 'other' type invariant] inv'1 other} + any + [ return' (result:bool)-> {[%#scmp9] result = lt_log'0 (deep_model'1 self) (deep_model'1 other)} + (! return' {result}) ] + - type t_Item'0 + use prelude.prelude.Intrinsic - use seq.Seq + meta "compute_max_steps" 1000000 - type t_I'0 - - type t_Enumerate'0 = - { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } - - use seq.Seq - - use prelude.prelude.Int - - function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int - - use seq.Seq - - use seq.Seq - - use seq.Seq - - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + let rec extern_spec_std_cmp_Ord_clamp_body'0 (self_:t_Self_'0) (min:t_Self_'0) (max:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_clamp_body 'self_' type invariant] [%#scmp0] inv'0 self_} + {[@expl:extern_spec_std_cmp_Ord_clamp_body 'min' type invariant] [%#scmp1] inv'0 min} + {[@expl:extern_spec_std_cmp_Ord_clamp_body 'max' type invariant] [%#scmp2] inv'0 max} + {[@expl:extern_spec_std_cmp_Ord_clamp_body requires] [%#scmp3] le_log'0 (deep_model'0 min) (deep_model'0 max)} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = gt'0 {self_} {max} (fun (_ret':bool) -> [ &_9 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = any [ br0 -> {_9 = false} (! bb8) | br1 -> {_9} (! bb7) ] + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'0 min} s1 + | s1 = -{resolve'0 min}- s2 + | s2 = {[@expl:type invariant] inv'0 self_} s3 + | s3 = -{resolve'0 self_}- s4 + | s4 = [ &_0 <- max ] s5 + | s5 = bb13 ] + + | bb8 = s0 + [ s0 = {[@expl:type invariant] inv'0 max} s1 + | s1 = -{resolve'0 max}- s2 + | s2 = lt'0 {self_} {min} (fun (_ret':bool) -> [ &_12 <- _ret' ] s3) + | s3 = bb9 ] + + | bb9 = any [ br0 -> {_12 = false} (! bb11) | br1 -> {_12} (! bb10) ] + | bb10 = s0 + [ s0 = {[@expl:type invariant] inv'0 self_} s1 + | s1 = -{resolve'0 self_}- s2 + | s2 = [ &_0 <- min ] s3 + | s3 = bb12 ] + + | bb11 = s0 + [ s0 = {[@expl:type invariant] inv'0 min} s1 | s1 = -{resolve'0 min}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb12 ] + + | bb12 = bb13 + | bb13 = bb14 + | bb14 = bb15 + | bb15 = bb16 + | bb16 = return' {_0} ] + ) + [ & _0 : t_Self_'0 = any_l () + | & self_ : t_Self_'0 = self_ + | & min : t_Self_'0 = min + | & max : t_Self_'0 = max + | & _9 : bool = any_l () + | & _12 : bool = any_l () ] - - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_clamp_body result type invariant] [%#scmp4] inv'0 result} + {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #0] [%#scmp5] ge_log'0 (deep_model'0 result) (deep_model'0 min)} + {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #1] [%#scmp6] le_log'0 (deep_model'0 result) (deep_model'0 max)} + {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #2] [%#scmp0] result = self_ \/ result = min \/ result = max} + {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #3] [%#scmp7] if gt_log'0 (deep_model'0 self_) (deep_model'0 max) then + result = max + else + if lt_log'0 (deep_model'0 self_) (deep_model'0 min) then result = min else result = self_ + } + (! return' {result}) ] +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_max_body [#"../../../creusot-contracts/src/std/cmp.rs" 112 12 113 66] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 112 22 112 24 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 112 29 112 31 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 112 39 112 40 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 107 22 107 60 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 108 22 108 60 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 109 22 109 50 + let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 110 22 110 73 + let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 111 22 111 72 + let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 75 26 75 66 + let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 76 26 76 63 + let%span scmp10 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use seq.Seq - - constant v_MAX'0 : usize = (18446744073709551615 : usize) - - use prelude.prelude.UIntSize - - use prelude.prelude.Borrow - - predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - - function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate3] inv'0 self -> inv'1 (iter'0 self) + type t_T'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = - [%#senumerate8] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i - -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) - /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter - end) + type t_DeepModelTy'0 - use seq.Seq + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - = - [%#senumerate2] Seq.length visited = n'0 o - n'0 self - /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i - /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) - constant self : t_Enumerate'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (self : t_Enumerate'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_produces_refl'0 : [%#senumerate0] produces'0 self (Seq.empty : Seq.seq (usize, t_Item'0)) self -end -module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_trans [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (* as std::iter::Iterator> *) - let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 87 15 87 32 - let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 88 15 88 32 - let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 89 14 89 42 - let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 85 4 85 10 - let%span senumerate4 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 - let%span senumerate5 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span senumerate10 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord23] (x = y) + = (cmp_log'0 x y = C_Equal'0) - type t_I'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use prelude.prelude.UIntSize + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord21] cmp_log'0 x y = C_Greater'0) + -> ([%#sord22] cmp_log'0 y x = C_Less'0) - type t_Enumerate'0 = - { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Item'0 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord19] cmp_log'0 x y = C_Less'0) + -> ([%#sord20] cmp_log'0 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord16] cmp_log'0 x y + = o) -> ([%#sord17] cmp_log'0 y z = o) -> ([%#sord18] cmp_log'0 x z = o) - use prelude.prelude.Int + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord15] cmp_log'0 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - use seq.Seq + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use prelude.prelude.UIntSize + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - use prelude.prelude.Borrow + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) + let rec max'0 (self:t_T'0) (other:t_T'0) (return' (ret:t_T'0))= {[@expl:max 'self' type invariant] inv'0 self} + {[@expl:max 'other' type invariant] inv'0 other} + any + [ return' (result:t_T'0)-> {inv'0 result} + {[%#scmp8] ge_log'0 (deep_model'0 result) (deep_model'0 self)} + {[%#scmp9] ge_log'0 (deep_model'0 result) (deep_model'0 other)} + {[%#scmp10] result = self \/ result = other} + {[%#scmp10] le_log'0 (deep_model'0 self) (deep_model'0 other) -> result = other} + {[%#scmp10] lt_log'0 (deep_model'0 other) (deep_model'0 self) -> result = self} + (! return' {result}) ] + - function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 + use prelude.prelude.Intrinsic - axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate5] inv'0 self -> inv'1 (iter'0 self) + meta "compute_max_steps" 1000000 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = - [%#senumerate10] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i - -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) - /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + let rec extern_spec_std_cmp_max_body'0 (v1:t_T'0) (v2:t_T'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_cmp_max_body 'v1' type invariant] [%#scmp0] inv'0 v1} + {[@expl:extern_spec_std_cmp_max_body 'v2' type invariant] [%#scmp1] inv'0 v2} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = max'0 {v1} {v2} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = bb7 + | bb7 = bb8 + | bb8 = return' {_0} ] + ) [ & _0 : t_T'0 = any_l () | & v1 : t_T'0 = v1 | & v2 : t_T'0 = v2 ] + [ return' (result:t_T'0)-> {[@expl:extern_spec_std_cmp_max_body result type invariant] [%#scmp2] inv'0 result} + {[@expl:extern_spec_std_cmp_max_body ensures #0] [%#scmp3] ge_log'0 (deep_model'0 result) (deep_model'0 v1)} + {[@expl:extern_spec_std_cmp_max_body ensures #1] [%#scmp4] ge_log'0 (deep_model'0 result) (deep_model'0 v2)} + {[@expl:extern_spec_std_cmp_max_body ensures #2] [%#scmp5] result = v1 \/ result = v2} + {[@expl:extern_spec_std_cmp_max_body ensures #3] [%#scmp6] le_log'0 (deep_model'0 v1) (deep_model'0 v2) + -> result = v2} + {[@expl:extern_spec_std_cmp_max_body ensures #4] [%#scmp7] lt_log'0 (deep_model'0 v2) (deep_model'0 v1) + -> result = v1} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_min_body [#"../../../creusot-contracts/src/std/cmp.rs" 123 12 124 66] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 123 22 123 24 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 123 29 123 31 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 123 39 123 40 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 118 22 118 60 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 119 22 119 60 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 120 22 120 50 + let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 121 22 121 72 + let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 122 22 122 73 + let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 84 26 84 66 + let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 85 26 85 63 + let%span scmp10 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp11 = "../../../creusot-contracts/src/std/cmp.rs" 88 26 88 77 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord24 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter - end) + type t_T'0 - use seq.Seq + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + type t_DeepModelTy'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) - - = - [%#senumerate4] Seq.length visited = n'0 o - n'0 self - /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i - /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - constant a : t_Enumerate'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 + - constant ab : Seq.seq (usize, t_Item'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant b : t_Enumerate'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord24] (x = y) + = (cmp_log'0 x y = C_Equal'0) - constant bc : Seq.seq (usize, t_Item'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant c : t_Enumerate'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord22] cmp_log'0 x y = C_Greater'0) + -> ([%#sord23] cmp_log'0 y x = C_Less'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (a : t_Enumerate'0) (ab : Seq.seq (usize, t_Item'0)) (b : t_Enumerate'0) (bc : Seq.seq (usize, t_Item'0)) (c : t_Enumerate'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_produces_trans'0 : ([%#senumerate1] produces'0 b bc c) - -> ([%#senumerate0] produces'0 a ab b) -> ([%#senumerate2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_refl [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (* as std::iter::Iterator> *) - let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 105 14 105 45 - let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 103 4 103 10 - let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 - let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 - let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 - let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord20] cmp_log'0 x y = C_Less'0) + -> ([%#sord21] cmp_log'0 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - type t_Item'0 + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord17] cmp_log'0 x y + = o) -> ([%#sord18] cmp_log'0 y z = o) -> ([%#sord19] cmp_log'0 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - type t_I'0 + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord16] cmp_log'0 x x = C_Equal'0 - type t_F'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_Filter'0 = - { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use prelude.prelude.Borrow + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord15] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops12] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops9] unnest'0 self b) - -> ([%#sops10] unnest'0 b c) -> ([%#sops11] unnest'0 self c) + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + let rec min'0 (self:t_T'0) (other:t_T'0) (return' (ret:t_T'0))= {[@expl:min 'self' type invariant] inv'0 self} + {[@expl:min 'other' type invariant] inv'0 other} + any + [ return' (result:t_T'0)-> {inv'0 result} + {[%#scmp8] le_log'0 (deep_model'0 result) (deep_model'0 self)} + {[%#scmp9] le_log'0 (deep_model'0 result) (deep_model'0 other)} + {[%#scmp10] result = self \/ result = other} + {[%#scmp10] lt_log'0 (deep_model'0 self) (deep_model'0 other) -> result = self} + {[%#scmp11] le_log'0 (deep_model'0 other) (deep_model'0 self) -> result = other} + (! return' {result}) ] + - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops8] unnest'0 self self + use prelude.prelude.Intrinsic - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_cmp_min_body'0 (v1:t_T'0) (v2:t_T'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_cmp_min_body 'v1' type invariant] [%#scmp0] inv'0 v1} + {[@expl:extern_spec_std_cmp_min_body 'v2' type invariant] [%#scmp1] inv'0 v2} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = min'0 {v1} {v2} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = bb7 + | bb7 = bb8 + | bb8 = return' {_0} ] + ) [ & _0 : t_T'0 = any_l () | & v1 : t_T'0 = v1 | & v2 : t_T'0 = v2 ] + [ return' (result:t_T'0)-> {[@expl:extern_spec_std_cmp_min_body result type invariant] [%#scmp2] inv'0 result} + {[@expl:extern_spec_std_cmp_min_body ensures #0] [%#scmp3] le_log'0 (deep_model'0 result) (deep_model'0 v1)} + {[@expl:extern_spec_std_cmp_min_body ensures #1] [%#scmp4] le_log'0 (deep_model'0 result) (deep_model'0 v2)} + {[@expl:extern_spec_std_cmp_min_body ensures #2] [%#scmp5] result = v1 \/ result = v2} + {[@expl:extern_spec_std_cmp_min_body ensures #3] [%#scmp6] lt_log'0 (deep_model'0 v1) (deep_model'0 v2) + -> result = v1} + {[@expl:extern_spec_std_cmp_min_body ensures #4] [%#scmp7] le_log'0 (deep_model'0 v2) (deep_model'0 v1) + -> result = v2} + (! return' {result}) ] +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_le_log [#"../../../creusot-contracts/src/std/cmp.rs" 156 4 156 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 155 14 155 64 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 153 4 153 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops6] postcondition_mut'0 self args res_state res) - -> ([%#sops7] unnest'0 self res_state) + type t_T'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = - [%#sfilter3] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) - /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) - /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true - /\ postcondition_mut'0 f1 (i) f2 false)) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' - end) + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter4] inv'0 self -> inv'1 (func'0 self) + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use prelude.prelude.Int + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use map.Map + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter5] inv'0 self -> inv'2 (iter'0 self) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter14] produces'1 a ab b) - -> ([%#siter15] produces'1 b bc c) -> ([%#siter16] produces'1 a (Seq.(++) ab bc) c) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter13] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use map.Map + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use seq.Seq + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) - - = - [%#sfilter2] invariant'0 self - -> unnest'0 (func'0 self) (func'0 succ) - /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited - -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) - = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - constant self : t_Filter'0 + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (self : t_Filter'0) : () + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - goal vc_produces_refl'0 : [%#sfilter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_trans [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (* as std::iter::Iterator> *) - let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 110 15 110 32 - let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 111 15 111 32 - let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 112 14 112 42 - let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 108 4 108 10 - let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 - let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 - let%span sfilter6 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 - let%span sfilter7 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - type t_I'0 + axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - type t_F'0 + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - type t_Filter'0 = - { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Greater'0 - type t_Item'0 + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use prelude.prelude.Borrow + function cmp_le_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 156 4 156 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + goal vc_cmp_le_log'0 : [%#scmp0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_lt_log [#"../../../creusot-contracts/src/std/cmp.rs" 161 4 161 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 160 14 160 61 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 158 4 158 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - + type t_T'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops14] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops11] unnest'0 self b) - -> ([%#sops12] unnest'0 b c) -> ([%#sops13] unnest'0 self c) + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops10] unnest'0 self self + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops8] postcondition_mut'0 self args res_state res) - -> ([%#sops9] unnest'0 self res_state) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = - [%#sfilter5] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) - /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) - /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true - /\ postcondition_mut'0 f1 (i) f2 false)) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' - end) + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter6] inv'0 self -> inv'1 (func'0 self) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use map.Map + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter7] inv'0 self -> inv'2 (iter'0 self) + axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - use seq.Seq + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + = + [%#sord2] cmp_log'0 self o = C_Less'0 - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) - -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) + constant x : t_Reverse'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + constant y : t_Reverse'0 - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function cmp_lt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 161 4 161 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - use seq.Seq + goal vc_cmp_lt_log'0 : [%#scmp0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_ge_log [#"../../../creusot-contracts/src/std/cmp.rs" 166 4 166 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 165 14 165 61 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 163 4 163 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use map.Map + type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) - - = - [%#sfilter4] invariant'0 self - -> unnest'0 (func'0 self) (func'0 succ) - /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited - -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) - = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - constant a : t_Filter'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - constant ab : Seq.seq t_Item'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - constant b : t_Filter'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant bc : Seq.seq t_Item'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - constant c : t_Filter'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (a : t_Filter'0) (ab : Seq.seq t_Item'0) (b : t_Filter'0) (bc : Seq.seq t_Item'0) (c : t_Filter'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - goal vc_produces_trans'0 : ([%#sfilter1] produces'0 b bc c) - -> ([%#sfilter0] produces'0 a ab b) -> ([%#sfilter2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_refl [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (* as std::iter::Iterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_Item'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - type t_I'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse3] inv'0 self -> inv'1 (view'0 self)) - && ([%#sfuse4] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + = + [%#sord2] cmp_log'0 self o <> C_Less'0 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + constant x : t_Reverse'0 - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + constant y : t_Reverse'0 - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function cmp_ge_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 166 4 166 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + goal vc_cmp_ge_log'0 : [%#scmp0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_gt_log [#"../../../creusot-contracts/src/std/cmp.rs" 171 4 171 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 170 14 170 64 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 168 4 168 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - = - [%#sfuse2] match view'0 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self - | C_Some'0 i -> match view'0 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end - constant self : t_Fuse'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_produces_refl'0 : [%#sfuse0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_trans [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (* as std::iter::Iterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - type t_I'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - type t_Item'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse5] inv'0 self -> inv'1 (view'0 self)) - && ([%#sfuse6] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use seq.Seq + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 = - [%#sfuse4] match view'0 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self - | C_Some'0 i -> match view'0 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 end - constant a : t_Fuse'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Greater'0 - constant ab : Seq.seq t_Item'0 + constant x : t_Reverse'0 - constant b : t_Fuse'0 + constant y : t_Reverse'0 - constant bc : Seq.seq t_Item'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 171 4 171 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - constant c : t_Fuse'0 + goal vc_cmp_gt_log'0 : [%#scmp0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__refl [#"../../../creusot-contracts/src/std/cmp.rs" 176 4 176 20] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 175 14 175 45 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 173 4 173 10 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () + type t_T'0 + + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - goal vc_produces_trans'0 : ([%#sfuse1] produces'0 b bc c) - -> ([%#sfuse0] produces'0 a ab b) -> ([%#sfuse2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi7691061398646472980__is_fused [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (* as std::iter::fuse::FusedIterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 63 15 63 31 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 64 15 64 44 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 65 14 65 50 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 61 4 61 10 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 20 12 21 28 - let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 - let%span sfuse7 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 - let%span sfuse8 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 - let%span sfuse9 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 - let%span sfuse10 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 - let%span sfuse11 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 - let%span smodel12 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sfuse13 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse14 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - type t_I'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - type t_Item'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - function view'1 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - axiom view'1_spec : forall self : t_Fuse'0 . ([%#sfuse13] inv'0 self -> inv'1 (view'1 self)) - && ([%#sfuse14] forall other : t_Fuse'0 . view'1 self = view'1 other -> self = other) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) - -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) - - = - [%#sfuse5] match view'1 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'1 other = view'1 self - | C_Some'0 i -> match view'1 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 = - [%#sfuse11] () - - axiom produces_trans'0_spec : forall a : t_Fuse'0, ab : Seq.seq t_Item'0, b : t_Fuse'0, bc : Seq.seq t_Item'0, c : t_Fuse'0 . ([%#sfuse8] produces'0 a ab b) - -> ([%#sfuse9] produces'0 b bc c) -> ([%#sfuse10] produces'0 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () = - [%#sfuse7] () - - axiom produces_refl'0_spec : forall self : t_Fuse'0 . [%#sfuse6] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Borrow + [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function view'0 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (t_Fuse'0)) : t_Option'0 = - [%#smodel12] view'1 self.current + constant x : t_Reverse'0 - predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + function refl'0 [#"../../../creusot-contracts/src/std/cmp.rs" 176 4 176 20] (x : t_Reverse'0) : () - predicate completed'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 18 4 18 35] (self : borrowed (t_Fuse'0)) = - [%#sfuse4] (view'0 self = C_None'0 - \/ (exists it : borrowed t_I'0 . completed'1 it /\ view'0 self = C_Some'0 (it.current))) - /\ view'1 self.final = C_None'0 + goal vc_refl'0 : [%#scmp0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__trans [#"../../../creusot-contracts/src/std/cmp.rs" 183 4 183 52] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 180 15 180 32 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 181 15 181 32 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 182 14 182 31 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 178 4 178 10 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - constant self : borrowed (t_Fuse'0) + type t_T'0 - constant steps : Seq.seq t_Item'0 + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - constant next : t_Fuse'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function is_fused'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (self : borrowed (t_Fuse'0)) (steps : Seq.seq t_Item'0) (next : t_Fuse'0) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - goal vc_is_fused'0 : ([%#sfuse1] produces'0 self.final steps next) - -> ([%#sfuse0] completed'0 self) -> ([%#sfuse2] steps = (Seq.empty : Seq.seq t_Item'0) /\ self.final = next) -end -module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_refl [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (* as std::iter::Iterator> *) - let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 80 14 80 45 - let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 78 4 78 10 - let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 - let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 - let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_B'0 - - use seq.Seq + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - type t_I'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_F'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - type t_Map'0 = - { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x - = match x with - | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f - end + axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - axiom func'0_spec : forall self : t_Map'0 . [%#smap3] inv'0 self -> inv'1 (func'0 self) + axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 - type t_Item'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Borrow + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops11] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) - -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp4] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) - -> ([%#sops6] unnest'0 self res_state) + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use seq.Seq + constant z : t_Reverse'0 - use seq.Seq + constant o : t_Ordering'0 - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/std/cmp.rs" 183 4 183 52] (x : t_Reverse'0) (y : t_Reverse'0) (z : t_Reverse'0) (o : t_Ordering'0) : () + - use seq.Seq - - function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Map'0 . [%#smap4] inv'0 self -> inv'2 (iter'0 self) + goal vc_trans'0 : ([%#scmp1] cmp_log'0 y z = o) -> ([%#scmp0] cmp_log'0 x y = o) -> ([%#scmp2] cmp_log'0 x z = o) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym1 [#"../../../creusot-contracts/src/std/cmp.rs" 189 4 189 33] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 187 15 187 45 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 188 14 188 47 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 185 4 185 10 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use seq.Seq + type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) - -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - use seq.Seq + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - = - [%#smap2] unnest'0 (func'0 self) (func'0 succ) - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited - /\ produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - func'0 self = func'0 succ - else - (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 (func'0 self) (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - constant self : t_Map'0 + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (self : t_Map'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - goal vc_produces_refl'0 : [%#smap0] produces'0 self (Seq.empty : Seq.seq t_B'0) self -end -module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_trans [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (* as std::iter::Iterator> *) - let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 85 15 85 32 - let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 86 15 86 32 - let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 87 14 87 42 - let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 83 4 83 10 - let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 - let%span smap5 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 - let%span smap6 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - type t_I'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - type t_F'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - type t_Map'0 = - { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_B'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x - = match x with - | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f - end + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom func'0_spec : forall self : t_Map'0 . [%#smap5] inv'0 self -> inv'1 (func'0 self) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - type t_Item'0 + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - use prelude.prelude.Borrow + constant x : t_Reverse'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + constant y : t_Reverse'0 - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) + function antisym1'0 [#"../../../creusot-contracts/src/std/cmp.rs" 189 4 189 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - + goal vc_antisym1'0 : ([%#scmp0] cmp_log'0 x y = C_Less'0) -> ([%#scmp1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym2 [#"../../../creusot-contracts/src/std/cmp.rs" 195 4 195 33] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 193 15 193 48 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 194 14 194 44 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 191 4 191 10 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops13] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + type t_T'0 - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops10] unnest'0 self b) - -> ([%#sops11] unnest'0 b c) -> ([%#sops12] unnest'0 self c) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops9] unnest'0 self self + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - + axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops7] postcondition_mut'0 self args res_state res) - -> ([%#sops8] unnest'0 self res_state) + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - use seq.Seq + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom iter'0_spec : forall self : t_Map'0 . [%#smap6] inv'0 self -> inv'2 (iter'0 self) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use seq.Seq + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter15] produces'1 a ab b) - -> ([%#siter16] produces'1 b bc c) -> ([%#siter17] produces'1 a (Seq.(++) ab bc) c) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter14] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - use seq.Seq + constant x : t_Reverse'0 - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + constant y : t_Reverse'0 + + function antisym2'0 [#"../../../creusot-contracts/src/std/cmp.rs" 195 4 195 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - = - [%#smap4] unnest'0 (func'0 self) (func'0 succ) - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited - /\ produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - func'0 self = func'0 succ - else - (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 (func'0 self) (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - - use seq.Seq - constant a : t_Map'0 - - constant ab : Seq.seq t_B'0 + goal vc_antisym2'0 : ([%#scmp0] cmp_log'0 x y = C_Greater'0) -> ([%#scmp1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__eq_cmp [#"../../../creusot-contracts/src/std/cmp.rs" 200 4 200 31] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 199 14 199 59 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 197 4 197 10 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - constant b : t_Map'0 + type t_T'0 - constant bc : Seq.seq t_B'0 + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - constant c : t_Map'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (a : t_Map'0) (ab : Seq.seq t_B'0) (b : t_Map'0) (bc : Seq.seq t_B'0) (c : t_Map'0) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - goal vc_produces_trans'0 : ([%#smap1] produces'0 b bc c) - -> ([%#smap0] produces'0 a ab b) -> ([%#smap2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_refl [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_B'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - type t_I'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - type t_F'0 + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - type t_Item'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - use prelude.prelude.Snapshot + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - use prelude.prelude.Borrow + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) - -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) - -> ([%#sops4] unnest'0 self res_state) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - use seq.Seq + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use seq.Seq + function eq_cmp'0 [#"../../../creusot-contracts/src/std/cmp.rs" 200 4 200 31] (x : t_Reverse'0) (y : t_Reverse'0) : () - use seq.Seq + goal vc_eq_cmp'0 : [%#scmp0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_refl [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (* as std::iter::Iterator> *) + let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 177 14 177 45 + let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 175 4 175 10 + let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 use seq.Seq - use seq.Seq + use prelude.prelude.Borrow - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + type t_T'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + use seq.Seq - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'1 a ab b) - -> ([%#siter12] produces'1 b bc c) -> ([%#siter13] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.Opaque - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter10] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + type t_Iter'1 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - use prelude.prelude.Snapshot + type t_Iter'0 = + { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } - use prelude.prelude.Snapshot + use prelude.prelude.Slice - use prelude.prelude.Int + function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 use seq.Seq @@ -4388,113 +4752,87 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__pr use seq.Seq - use prelude.prelude.Snapshot - - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - - - use seq.Seq + use prelude.prelude.UIntSize - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) - - = - [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + constant v_MAX'0 : usize = (18446744073709551615 : usize) - constant self : t_MapInv'0 + use prelude.prelude.UIntSize - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () + use prelude.prelude.Int - goal vc_produces_refl'0 : [%#smap_inv0] produces'0 self (Seq.empty : Seq.seq t_B'0) self -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_trans [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + use prelude.prelude.Slice - type t_I'0 + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - type t_F'0 + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice8] view'2 self = Slice.id self) - type t_Item'0 + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel5] view'2 self use seq.Seq - use prelude.prelude.Snapshot - - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - - type t_B'0 - use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + = + [%#sindex6] Seq.get (view'2 self) ix - use prelude.prelude.Borrow + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + = + [%#sdeque2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops11] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + constant self : t_Iter'0 - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (self : t_Iter'0) : () - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + goal vc_produces_refl'0 : [%#sdeque0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_trans [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (* as std::iter::Iterator> *) + let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 182 15 182 32 + let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 183 15 183 32 + let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 184 14 184 42 + let%span sdeque3 = "../../../creusot-contracts/src/std/deque.rs" 180 4 180 10 + let%span sdeque4 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) - -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) + use prelude.prelude.Opaque - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + type t_Iter'1 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + type t_Iter'0 = + { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) - -> ([%#sops6] unnest'0 self res_state) + use prelude.prelude.Borrow - use seq.Seq + type t_T'0 use seq.Seq - use seq.Seq + use prelude.prelude.Slice + + function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 use seq.Seq @@ -4502,774 +4840,592 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__pr use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use prelude.prelude.UIntSize - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) - -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.UIntSize - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + use prelude.prelude.Int - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use prelude.prelude.Slice - use prelude.prelude.Snapshot + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - use prelude.prelude.Snapshot + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice10] view'2 self = Slice.id self) - use prelude.prelude.Int + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel7] view'2 self use seq.Seq use seq.Seq - use seq.Seq + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex8] Seq.get (view'2 self) ix - use prelude.prelude.Snapshot + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#smap_inv4] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - - use seq.Seq + [%#sdeque4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant a : t_MapInv'0 + constant a : t_Iter'0 - constant ab : Seq.seq t_B'0 + constant ab : Seq.seq t_T'0 - constant b : t_MapInv'0 + constant b : t_Iter'0 - constant bc : Seq.seq t_B'0 + constant bc : Seq.seq t_T'0 - constant c : t_MapInv'0 + constant c : t_Iter'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - goal vc_produces_trans'0 : ([%#smap_inv1] produces'0 b bc c) - -> ([%#smap_inv0] produces'0 a ab b) -> ([%#smap_inv2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#sdeque1] produces'0 b bc c) + -> ([%#sdeque0] produces'0 a ab b) -> ([%#sdeque2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi5691635635396426195__resolve_coherence [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (* as resolve::Resolve> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 62 15 62 39 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 63 14 63 31 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 60 4 60 23 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 57 8 57 50 - - use prelude.prelude.Borrow - - type t_I'0 +module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_refl [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (* as std::iter::Iterator> *) + let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 57 14 57 45 + let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 55 4 55 10 + let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 + let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_F'0 + use seq.Seq - type t_B'0 + type t_T'0 use seq.Seq - use prelude.prelude.Snapshot + type t_I'0 - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_B'0) } + type t_Cloned'0 = + { t_Cloned__it'0: t_I'0 } - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : Snapshot.snap_ty (Seq.seq t_B'0)) - = - true + use prelude.prelude.Borrow - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_I'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_MapInv'0) = - match _1 with - | {t_MapInv__iter'0 = x0 ; t_MapInv__func'0 = x1 ; t_MapInv__produced'0 = x2} -> resolve'1 x2 - /\ resolve'2 x1 /\ resolve'3 x0 - end + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) - predicate resolve'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 28] (self : t_MapInv'0) = - [%#smap_inv3] resolve'3 self.t_MapInv__iter'0 /\ resolve'2 self.t_MapInv__func'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x + = match x with + | {t_Cloned__it'0 = it} -> inv'1 it + end - constant self : t_MapInv'0 + function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 - function resolve_coherence'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (self : t_MapInv'0) : () - + axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned3] inv'0 self -> inv'1 (iter'0 self) - goal vc_resolve_coherence'0 : ([%#smap_inv0] structural_resolve'0 self) -> ([%#smap_inv1] resolve'0 self) -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4413682431414748756__next [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 90 4 90 44] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 91 39 91 58 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 94 16 94 76 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 95 31 95 71 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 99 38 99 88 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 100 32 100 63 - let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 105 32 105 56 - let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 17 90 21 - let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 26 90 44 - let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 86 14 89 5 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 103 26 106 17 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 162 27 162 52 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 163 26 163 71 - let%span smap_inv12 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 163 15 163 31 - let%span smap_inv13 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 164 4 164 60 - let%span smap_inv14 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 165 15 165 30 - let%span smap_inv15 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 166 15 166 64 - let%span smap_inv16 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 167 14 167 74 - let%span smap_inv17 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 168 14 168 75 - let%span smap_inv18 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 - let%span smap_inv19 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 - let%span smap_inv20 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9 - let%span smap_inv21 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 74 12 76 73 - let%span smap_inv22 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 - let%span smap_inv23 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 - let%span smap_inv24 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 117 12 119 63 - let%span smap_inv25 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sresolve26 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span smap_inv27 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv28 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv29 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv30 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv31 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv32 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span siter33 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter34 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter35 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter36 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span sops37 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops38 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops39 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops40 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops41 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops42 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops43 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span smap_inv44 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 153 12 156 47 - let%span smap_inv45 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 - let%span sinvariant46 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - use prelude.prelude.Snapshot + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) + - type t_I'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - type t_F'0 + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - type t_Item'0 + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self use seq.Seq - use prelude.prelude.Snapshot - - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + use seq.Seq - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_I'0) = - [%#sinvariant46] inv'0 self.current /\ inv'0 self.final + use prelude.prelude.Int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_I'0) + use seq.Seq - axiom inv_axiom'2 [@rewrite] : forall x : borrowed t_I'0 [inv'4 x] . inv'4 x = invariant'2 x + use seq.Seq - type t_Option'0 = - | C_None'0 - | C_Some'0 t_Item'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + + = + [%#scloned2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - predicate inv'9 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Item'0) + constant self : t_Cloned'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (self : t_Cloned'0) : () - axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'5 x] . inv'5 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'9 a_0 - end + goal vc_produces_refl'0 : [%#scloned0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_trans [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (* as std::iter::Iterator> *) + let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 62 15 62 32 + let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 63 15 63 32 + let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 64 14 64 42 + let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 60 4 60 10 + let%span scloned4 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 + let%span scloned5 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_I'0 + + type t_Cloned'0 = + { t_Cloned__it'0: t_I'0 } + + type t_T'0 use seq.Seq + use prelude.prelude.Borrow + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter34] produces'0 a ab b) - -> ([%#siter35] produces'0 b bc c) -> ([%#siter36] produces'0 a (Seq.(++) ab bc) c) + axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x + = match x with + | {t_Cloned__it'0 = it} -> inv'1 it + end - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter33] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned5] inv'0 self -> inv'1 (iter'0 self) - predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + use seq.Seq use seq.Seq - let rec next'1 (self:borrowed t_I'0) (return' (ret:t_Option'0))= {[@expl:next 'self' type invariant] inv'4 self} - any - [ return' (result:t_Option'0)-> {inv'5 result} - {[%#siter9] match result with - | C_None'0 -> completed'1 self - | C_Some'0 v -> produces'0 self.current (Seq.singleton v) self.final - end} - (! return' {result}) ] + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Item'0))= any - [ good (field_0:t_Item'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Item'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - use prelude.prelude.Snapshot + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use seq.Seq + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self - use prelude.prelude.Snapshot + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_F'0) = - [%#sinvariant46] inv'1 self.current /\ inv'1 self.final + use prelude.prelude.Int - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_F'0) + use seq.Seq - axiom inv_axiom'4 [@rewrite] : forall x : borrowed t_F'0 [inv'6 x] . inv'6 x = invariant'3 x + use seq.Seq - predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + = + [%#scloned4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - axiom inv_axiom'5 [@rewrite] : forall x : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) [inv'7 x] . inv'7 x - = (let (x0, x1) = x in inv'9 x0) + use seq.Seq - type t_B'0 + constant a : t_Cloned'0 - predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + constant ab : Seq.seq t_T'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + constant b : t_Cloned'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + constant bc : Seq.seq t_T'0 - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + constant c : t_Cloned'0 - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (a : t_Cloned'0) (ab : Seq.seq t_T'0) (b : t_Cloned'0) (bc : Seq.seq t_T'0) (c : t_Cloned'0) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops43] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'2 res_state) + goal vc_produces_trans'0 : ([%#scloned1] produces'0 b bc c) + -> ([%#scloned0] produces'0 a ab b) -> ([%#scloned2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_refl [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (* as std::iter::Iterator> *) + let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 + let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 55 4 55 10 + let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + use seq.Seq - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + type t_T'0 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops40] unnest'0 self b) - -> ([%#sops41] unnest'0 b c) -> ([%#sops42] unnest'0 self c) + use seq.Seq - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_I'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops39] unnest'0 self self + type t_Copied'0 = + { t_Copied__it'0: t_I'0 } - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + use prelude.prelude.Borrow - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops37] postcondition_mut'0 self args res_state res) - -> ([%#sops38] unnest'0 self res_state) + use seq.Seq - let rec call_mut'0 (self:borrowed t_F'0) (args:(t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (return' (ret:t_B'0))= {[@expl:call_mut 'self' type invariant] inv'6 self} - {[@expl:call_mut 'args' type invariant] inv'7 args} - {[@expl:call_mut requires] [%#sops10] precondition'0 self.current args} - any - [ return' (result:t_B'0)-> {inv'8 result} - {[%#sops11] postcondition_mut'0 self.current args self.final result} - (! return' {result}) ] - + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate next_precondition'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 115 4 115 78] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - - = - [%#smap_inv24] forall e : t_Item'0, i : t_I'0 . produces'0 iter (Seq.singleton e) i - -> precondition'0 func (e, Snapshot.new produced) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) - predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) - - = - [%#smap_inv45] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new s) - -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) + axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x + = match x with + | {t_Copied__it'0 = it} -> inv'1 it + end - predicate reinitialize'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 151 4 151 33] (_1 : ()) = - [%#smap_inv44] forall iter : borrowed t_I'0, func : t_F'0 . completed'1 iter - -> next_precondition'0 iter.final func (Seq.empty : Seq.seq t_Item'0) /\ preservation'0 iter.final func + function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 - predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - - = - [%#smap_inv23] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) - -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied3] inv'0 self -> inv'1 (iter'0 self) - axiom preservation_inv'0_spec : forall iter : t_I'0, func : t_F'0, produced : Seq.seq t_Item'0 . [%#smap_inv22] produced - = (Seq.empty : Seq.seq t_Item'0) -> preservation_inv'0 iter func produced = preservation'0 iter func + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 72 4 72 30] (self : t_MapInv'0) = - [%#smap_inv21] reinitialize'0 () - /\ preservation_inv'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) - /\ next_precondition'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) + use seq.Seq - function produces_one_invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 169 4 169 73] (self : t_MapInv'0) (e : t_Item'0) (r : t_B'0) (f : borrowed t_F'0) (iter : t_I'0) : () + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - axiom produces_one_invariant'0_spec : forall self : t_MapInv'0, e : t_Item'0, r : t_B'0, f : borrowed t_F'0, iter : t_I'0 . ([%#smap_inv12] invariant'0 self) - -> ([%#smap_inv13] produces'0 self.t_MapInv__iter'0 (Seq.singleton e) iter) - -> ([%#smap_inv14] f.current = self.t_MapInv__func'0) - -> ([%#smap_inv15] postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final r) - -> ([%#smap_inv16] preservation_inv'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) - && ([%#smap_inv17] next_precondition'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + - use prelude.prelude.Snapshot + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - use prelude.prelude.Snapshot + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use seq.Seq + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self use seq.Seq use seq.Seq - use seq.Seq + use prelude.prelude.Int use seq.Seq use seq.Seq - use seq.Seq + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + + = + [%#scopied2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - use seq.Seq + constant self : t_Copied'0 - use prelude.prelude.Snapshot + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (self : t_Copied'0) : () - use prelude.prelude.Int + goal vc_produces_refl'0 : [%#scopied0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_trans [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (* as std::iter::Iterator> *) + let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 + let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 + let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 + let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 60 4 60 10 + let%span scopied4 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span scopied5 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_I'0 + + type t_Copied'0 = + { t_Copied__it'0: t_I'0 } + + type t_T'0 use seq.Seq + use prelude.prelude.Borrow + use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x + = match x with + | {t_Copied__it'0 = it} -> inv'1 it + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'0 self -> inv'1 (iter'0 self) + use seq.Seq use seq.Seq - predicate produces'1 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - = - [%#smap_inv25] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'0 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - = - [%#smap_inv32] () - - axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv29] produces'1 a ab b) - -> ([%#smap_inv30] produces'1 b bc c) -> ([%#smap_inv31] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = - [%#smap_inv28] () - axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv27] produces'1 self (Seq.empty : Seq.seq t_B'0) self - - predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - - = - [%#smap_inv19] exists f : borrowed t_F'0, e : t_Item'0 . f.current = self.t_MapInv__func'0 - /\ f.final = succ.t_MapInv__func'0 - /\ produces'0 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e - /\ precondition'0 f.current (e, self.t_MapInv__produced'0) - /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - axiom produces_one'0_spec : forall self : t_MapInv'0, visited : t_B'0, succ : t_MapInv'0 . [%#smap_inv18] produces_one'0 self visited succ - = produces'1 self (Seq.singleton visited) succ + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - predicate inv'10 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_MapInv'0) + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self - axiom inv_axiom'6 [@rewrite] : forall x : t_MapInv'0 [inv'10 x] . inv'10 x - = (invariant'0 x - /\ match x with - | {t_MapInv__iter'0 = iter ; t_MapInv__func'0 = func ; t_MapInv__produced'0 = produced} -> inv'0 iter /\ inv'1 func - end) + use seq.Seq - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_MapInv'0)) = - [%#sinvariant46] inv'10 self.current /\ inv'10 self.final + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_MapInv'0)) + use prelude.prelude.Int - axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_MapInv'0) [inv'2 x] . inv'2 x = invariant'1 x + use seq.Seq - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_MapInv'0)) = - [%#sresolve26] self.final = self.current + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_MapInv'0)) = - resolve'1 _1 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + + = + [%#scopied4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - type t_Option'1 = - | C_None'1 - | C_Some'1 t_B'0 + use seq.Seq - use prelude.prelude.Intrinsic + constant a : t_Copied'0 - use prelude.prelude.Snapshot + constant ab : Seq.seq t_T'0 - use prelude.prelude.Snapshot + constant b : t_Copied'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + constant bc : Seq.seq t_T'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'1 [inv'3 x] . inv'3 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'8 a_0 - end + constant c : t_Copied'0 - predicate completed'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 14 4 14 35] (self : borrowed (t_MapInv'0)) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () - = - [%#smap_inv20] Snapshot.inner (self.final).t_MapInv__produced'0 = (Seq.empty : Seq.seq t_Item'0) - /\ completed'1 (Borrow.borrow_logic (self.current).t_MapInv__iter'0 (self.final).t_MapInv__iter'0 (Borrow.inherit_id (Borrow.get_id self) 1)) - /\ (self.current).t_MapInv__func'0 = (self.final).t_MapInv__func'0 - - meta "compute_max_steps" 1000000 - let rec next'0 (self:borrowed (t_MapInv'0)) (return' (ret:t_Option'1))= {[@expl:next 'self' type invariant] [%#smap_inv6] inv'2 self} - (! bb0 - [ bb0 = s0 [ s0 = [ &old_self <- [%#smap_inv0] Snapshot.new self.current ] s1 | s1 = bb1 ] - | bb1 = s0 - [ s0 = {inv'0 (self.current).t_MapInv__iter'0} - Borrow.borrow_final {(self.current).t_MapInv__iter'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_I'0) -> - [ &_6 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { self.current with t_MapInv__iter'0 = _ret'.final } } ] - s1) - | s1 = next'1 {_6} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s2) - | s2 = bb2 ] - - | bb2 = any [ br0 -> {_5 = C_None'0 } (! bb5) | br1 (x0:t_Item'0)-> {_5 = C_Some'0 x0} (! bb4) ] - | bb4 = bb6 - | bb6 = s0 - [ s0 = v_Some'0 {_5} (fun (r0'0:t_Item'0) -> [ &v <- r0'0 ] s1) - | s1 = {[@expl:assertion] [%#smap_inv1] precondition'0 (self.current).t_MapInv__func'0 (v, (self.current).t_MapInv__produced'0)} - s2 - | s2 = bb7 ] - - | bb7 = s0 - [ s0 = - [ &produced <- [%#smap_inv2] Snapshot.new (Seq.snoc (Snapshot.inner (self.current).t_MapInv__produced'0) v) ] - - s1 - | s1 = bb8 ] - - | bb8 = s0 - [ s0 = {inv'1 (self.current).t_MapInv__func'0} - Borrow.borrow_final {(self.current).t_MapInv__func'0} {Borrow.inherit_id (Borrow.get_id self) 2} - (fun (_ret':borrowed t_F'0) -> - [ &_14 <- _ret' ] - -{inv'1 _ret'.final}- - [ &self <- { self with current = { self.current with t_MapInv__func'0 = _ret'.final } } ] - s1) - | s1 = [ &_15 <- (v, (self.current).t_MapInv__produced'0) ] s2 - | s2 = call_mut'0 {_14} {_15} (fun (_ret':t_B'0) -> [ &r <- _ret' ] s3) - | s3 = bb9 ] - - | bb9 = bb10 - | bb10 = s0 - [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = produced } } ] s1 - | s1 = [ &_19 <- [%#smap_inv3] Snapshot.new (let _ = () in ()) ] s2 - | s2 = bb11 ] - - | bb11 = s0 - [ s0 = {[@expl:assertion] [%#smap_inv4] produces_one'0 (Snapshot.inner old_self) r self.current} s1 | s1 = bb12 ] - - | bb12 = s0 - [ s0 = {[@expl:type invariant] inv'2 self} s1 - | s1 = -{resolve'0 self}- s2 - | s2 = [ &_0 <- C_Some'1 r ] s3 - | s3 = bb13 ] - - | bb13 = bb14 - | bb14 = bb15 - | bb15 = bb17 - | bb5 = s0 [ s0 = [ &_24 <- [%#smap_inv5] Snapshot.new (Seq.empty : Seq.seq t_Item'0) ] s1 | s1 = bb16 ] - | bb16 = s0 - [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = _24 } } ] s1 - | s1 = {[@expl:type invariant] inv'2 self} s2 - | s2 = -{resolve'0 self}- s3 - | s3 = [ &_0 <- C_None'1 ] s4 - | s4 = bb17 ] - - | bb17 = bb18 - | bb18 = return' {_0} ] - ) - [ & _0 : t_Option'1 = any_l () - | & self : borrowed (t_MapInv'0) = self - | & old_self : Snapshot.snap_ty (t_MapInv'0) = any_l () - | & _5 : t_Option'0 = any_l () - | & _6 : borrowed t_I'0 = any_l () - | & v : t_Item'0 = any_l () - | & produced : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () - | & r : t_B'0 = any_l () - | & _14 : borrowed t_F'0 = any_l () - | & _15 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) = any_l () - | & _19 : Snapshot.snap_ty () = any_l () - | & _24 : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () ] - - [ return' (result:t_Option'1)-> {[@expl:next result type invariant] [%#smap_inv7] inv'3 result} - {[@expl:next ensures] [%#smap_inv8] match result with - | C_None'1 -> completed'0 self - | C_Some'1 v -> produces_one'0 self.current v self.final - end} - (! return' {result}) ] - + goal vc_produces_trans'0 : ([%#scopied1] produces'0 b bc c) + -> ([%#scopied0] produces'0 a ab b) -> ([%#scopied2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__preservation_inv [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (* std::iter::map_inv::MapInv::Item, F> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 - let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_refl [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (* as std::iter::Iterator> *) + let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 18 14 18 45 + let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 16 4 16 10 + let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 use seq.Seq - type t_Item'0 + type t_T'0 use seq.Seq - type t_I'0 + type t_Empty'0 = + { t_Empty__0'0: () } - type t_F'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + + = + [%#sempty2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - use prelude.prelude.Borrow + constant self : t_Empty'0 - type t_B'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (self : t_Empty'0) : () - use prelude.prelude.Snapshot + goal vc_produces_refl'0 : [%#sempty0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_trans [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (* as std::iter::Iterator> *) + let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 23 15 23 32 + let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 24 15 24 32 + let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 25 14 25 42 + let%span sempty3 = "../../../creusot-contracts/src/std/iter/empty.rs" 21 4 21 10 + let%span sempty4 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + type t_Empty'0 = + { t_Empty__0'0: () } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + type t_T'0 - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + = + [%#sempty4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + use seq.Seq - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant a : t_Empty'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + constant ab : Seq.seq t_T'0 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) - -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) + constant b : t_Empty'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + constant bc : Seq.seq t_T'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self + constant c : t_Empty'0 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (a : t_Empty'0) (ab : Seq.seq t_T'0) (b : t_Empty'0) (bc : Seq.seq t_T'0) (c : t_Empty'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) - -> ([%#sops4] unnest'0 self res_state) + goal vc_produces_trans'0 : ([%#sempty1] produces'0 b bc c) + -> ([%#sempty0] produces'0 a ab b) -> ([%#sempty2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_refl [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (* as std::iter::Iterator> *) + let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 82 14 82 45 + let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 80 4 80 10 + let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 + let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span senumerate8 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 use seq.Seq - use seq.Seq + use prelude.prelude.UIntSize - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + type t_Item'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + use seq.Seq - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'0 a ab b) - -> ([%#siter12] produces'0 b bc c) -> ([%#siter13] produces'0 a (Seq.(++) ab bc) c) + type t_I'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + type t_Enumerate'0 = + { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter10] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - use prelude.prelude.Snapshot + use prelude.prelude.Int - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int - predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) - - = - [%#smap_inv2] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new s) - -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) + use seq.Seq - constant iter : t_I'0 + use seq.Seq - constant func : t_F'0 + use seq.Seq - constant produced : Seq.seq t_Item'0 + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - goal vc_preservation_inv'0 : [%#smap_inv0] produced = (Seq.empty : Seq.seq t_Item'0) - -> ([%#smap_inv1] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) - -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) - = preservation'0 iter func -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__produces_one [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (* std::iter::map_inv::MapInv::Item, F> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops15 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops16 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops17 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops18 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops19 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - use seq.Seq + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use seq.Seq + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - type t_I'0 + use seq.Seq - type t_F'0 + constant v_MAX'0 : usize = (18446744073709551615 : usize) - type t_Item'0 + use prelude.prelude.UIntSize - use seq.Seq + use prelude.prelude.Borrow - use prelude.prelude.Snapshot + predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - type t_B'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - use seq.Seq + function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 - use seq.Seq + axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate3] inv'0 self -> inv'1 (iter'0 self) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = + [%#senumerate8] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i + -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) + /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) - use prelude.prelude.Borrow + axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter + end) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + = + [%#senumerate2] Seq.length visited = n'0 o - n'0 self + /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i + /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops19] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant self : t_Enumerate'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (self : t_Enumerate'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops16] unnest'0 self b) - -> ([%#sops17] unnest'0 b c) -> ([%#sops18] unnest'0 self c) + goal vc_produces_refl'0 : [%#senumerate0] produces'0 self (Seq.empty : Seq.seq (usize, t_Item'0)) self +end +module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_trans [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (* as std::iter::Iterator> *) + let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 87 15 87 32 + let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 88 15 88 32 + let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 89 14 89 42 + let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 85 4 85 10 + let%span senumerate4 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 + let%span senumerate5 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span senumerate10 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_I'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops15] unnest'0 self self + use prelude.prelude.UIntSize - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + type t_Enumerate'0 = + { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops13] postcondition_mut'0 self args res_state res) - -> ([%#sops14] unnest'0 self res_state) + type t_Item'0 use seq.Seq use seq.Seq - use seq.Seq + use prelude.prelude.Int + + function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int use seq.Seq @@ -5283,742 +5439,752 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter10] produces'1 a ab b) - -> ([%#siter11] produces'1 b bc c) -> ([%#siter12] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter9] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - use prelude.prelude.Snapshot + use seq.Seq - use prelude.prelude.Snapshot + constant v_MAX'0 : usize = (18446744073709551615 : usize) - use prelude.prelude.Int + use prelude.prelude.UIntSize - use seq.Seq + use prelude.prelude.Borrow - use seq.Seq + predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use prelude.prelude.Snapshot + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 - use seq.Seq + axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate5] inv'0 self -> inv'1 (iter'0 self) - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) - - = - [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = + [%#senumerate10] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i + -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) + /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () - - = - [%#smap_inv8] () + axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter + end) - axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv5] produces'0 a ab b) - -> ([%#smap_inv6] produces'0 b bc c) -> ([%#smap_inv7] produces'0 a (Seq.(++) ab bc) c) + use seq.Seq - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = - [%#smap_inv4] () + use seq.Seq - axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv3] produces'0 self (Seq.empty : Seq.seq t_B'0) self + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + + = + [%#senumerate4] Seq.length visited = n'0 o - n'0 self + /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i + /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) use seq.Seq - use seq.Seq + constant a : t_Enumerate'0 - constant self : t_MapInv'0 + constant ab : Seq.seq (usize, t_Item'0) - constant visited : t_B'0 + constant b : t_Enumerate'0 - constant succ : t_MapInv'0 + constant bc : Seq.seq (usize, t_Item'0) - predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - + constant c : t_Enumerate'0 - goal vc_produces_one'0 : [%#smap_inv0] ([%#smap_inv1] exists f : borrowed t_F'0, e : t_Item'0 . f.current - = self.t_MapInv__func'0 - /\ f.final = succ.t_MapInv__func'0 - /\ produces'1 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e - /\ precondition'0 f.current (e, self.t_MapInv__produced'0) - /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited) - = produces'0 self (Seq.singleton visited) succ + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (a : t_Enumerate'0) (ab : Seq.seq (usize, t_Item'0)) (b : t_Enumerate'0) (bc : Seq.seq (usize, t_Item'0)) (c : t_Enumerate'0) : () + + + goal vc_produces_trans'0 : ([%#senumerate1] produces'0 b bc c) + -> ([%#senumerate0] produces'0 a ab b) -> ([%#senumerate2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_refl [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (* as std::iter::Iterator> *) - let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 31 14 31 45 - let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 29 4 29 10 - let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 +module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_refl [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (* as std::iter::Iterator> *) + let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 105 14 105 45 + let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 103 4 103 10 + let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 + let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 + let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 + let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - type t_T'0 + type t_Item'0 use seq.Seq - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 - - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + type t_I'0 - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + type t_F'0 - type t_Once'0 = - { t_Once__inner'0: t_IntoIter'0 } + type t_Filter'0 = + { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } - function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 + use prelude.prelude.Borrow - use seq.Seq + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - = - [%#sonce2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - constant self : t_Once'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (self : t_Once'0) : () + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) + - goal vc_produces_refl'0 : [%#sonce0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_trans [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (* as std::iter::Iterator> *) - let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 36 15 36 32 - let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 37 15 37 32 - let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 38 14 38 42 - let%span sonce3 = "../../../creusot-contracts/src/std/iter/once.rs" 34 4 34 10 - let%span sonce4 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + - type t_T'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops12] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops9] unnest'0 self b) + -> ([%#sops10] unnest'0 b c) -> ([%#sops11] unnest'0 self c) - type t_Once'0 = - { t_Once__inner'0: t_IntoIter'0 } + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - use seq.Seq + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops8] unnest'0 self self - use seq.Seq + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + - function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops6] postcondition_mut'0 self args res_state res) + -> ([%#sops7] unnest'0 self res_state) - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = + [%#sfilter3] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) + /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) + /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true + /\ postcondition_mut'0 f1 (i) f2 false)) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) - - = - [%#sonce4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - constant a : t_Once'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) - constant ab : Seq.seq t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' + end) - constant b : t_Once'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 - constant bc : Seq.seq t_T'0 + axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter4] inv'0 self -> inv'1 (func'0 self) - constant c : t_Once'0 + use prelude.prelude.Int - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (a : t_Once'0) (ab : Seq.seq t_T'0) (b : t_Once'0) (bc : Seq.seq t_T'0) (c : t_Once'0) : () - + use map.Map - goal vc_produces_trans'0 : ([%#sonce1] produces'0 b bc c) - -> ([%#sonce0] produces'0 a ab b) -> ([%#sonce2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 30 4 30 10 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 + function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter5] inv'0 self -> inv'2 (iter'0 self) use seq.Seq - type t_Idx'0 + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - type t_Range'0 = - { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter14] produces'1 a ab b) + -> ([%#siter15] produces'1 b bc c) -> ([%#siter16] produces'1 a (Seq.(++) ab bc) c) - use prelude.prelude.Int + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter13] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use seq.Seq + use map.Map + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) = - [%#srange2] self.t_Range__end'0 = o.t_Range__end'0 - /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 - /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) - /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) + [%#sfilter2] invariant'0 self + -> unnest'0 (func'0 self) (func'0 succ) + /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited + -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) + = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - constant self : t_Range'0 + constant self : t_Filter'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (self : t_Range'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (self : t_Filter'0) : () - goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self + goal vc_produces_refl'0 : [%#sfilter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self end -module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 35 4 35 10 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 +module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_trans [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (* as std::iter::Iterator> *) + let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 110 15 110 32 + let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 111 15 111 32 + let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 112 14 112 42 + let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 108 4 108 10 + let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 + let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 + let%span sfilter6 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 + let%span sfilter7 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_Idx'0 + type t_I'0 - type t_Range'0 = - { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } + type t_F'0 + + type t_Filter'0 = + { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + + type t_Item'0 use seq.Seq - use prelude.prelude.Int + use prelude.prelude.Borrow - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - use seq.Seq + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) + - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - = - [%#srange4] self.t_Range__end'0 = o.t_Range__end'0 - /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 - /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) - /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + - constant a : t_Range'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops14] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - constant ab : Seq.seq t_Idx'0 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - constant b : t_Range'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - constant bc : Seq.seq t_Idx'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops11] unnest'0 self b) + -> ([%#sops12] unnest'0 b c) -> ([%#sops13] unnest'0 self c) - constant c : t_Range'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (a : t_Range'0) (ab : Seq.seq t_Idx'0) (b : t_Range'0) (bc : Seq.seq t_Idx'0) (c : t_Range'0) : () + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops10] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () - goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) - -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__range__range_inclusive_len [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span sops1 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops8] postcondition_mut'0 self args res_state res) + -> ([%#sops9] unnest'0 self res_state) - type t_Idx'0 + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = + [%#sfilter5] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) + /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) + /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true + /\ postcondition_mut'0 f1 (i) f2 false)) - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - use prelude.prelude.Int + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' + end) - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter6] inv'0 self -> inv'1 (func'0 self) - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops1] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + use prelude.prelude.Int - constant r : t_RangeInclusive'0 + use map.Map - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int - + function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 - goal vc_range_inclusive_len'0 : ([%#sops1] not is_empty_log'0 r - -> deep_model'0 (start_log'0 r) <= deep_model'0 (end_log'0 r)) - -> (if is_empty_log'0 r then - [%#srange0] is_empty_log'0 r = (0 = 0) - else - [%#srange0] is_empty_log'0 r = (deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 = 0) - ) -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter7] inv'0 self -> inv'2 (iter'0 self) use seq.Seq - type t_Idx'0 - use seq.Seq - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) + -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) - use prelude.prelude.Int + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + use seq.Seq - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + use map.Map - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops5] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + use seq.Seq - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) = - [%#srange4] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + [%#sfilter4] invariant'0 self + -> unnest'0 (func'0 self) (func'0 succ) + /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited + -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) + = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange3] is_empty_log'0 r - = (range_inclusive_len'0 r = 0) + constant a : t_Filter'0 - use seq.Seq + constant ab : Seq.seq t_Item'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) - - = - [%#srange2] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o - /\ (is_empty_log'0 self -> is_empty_log'0 o) - /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) + constant b : t_Filter'0 - constant self : t_RangeInclusive'0 + constant bc : Seq.seq t_Item'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (self : t_RangeInclusive'0) : () + constant c : t_Filter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (a : t_Filter'0) (ab : Seq.seq t_Item'0) (b : t_Filter'0) (bc : Seq.seq t_Item'0) (c : t_Filter'0) : () - goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self + goal vc_produces_trans'0 : ([%#sfilter1] produces'0 b bc c) + -> ([%#sfilter0] produces'0 a ab b) -> ([%#sfilter2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 79 4 79 10 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 - let%span srange5 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span srange6 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_refl [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (* as std::iter::Iterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_Idx'0 + use seq.Seq - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + type t_Item'0 use seq.Seq - use seq.Seq + type t_I'0 - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - use prelude.prelude.Int + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops7] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int - - = - [%#srange6] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end - axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange5] is_empty_log'0 r - = (range_inclusive_len'0 r = 0) + function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + + axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse3] inv'0 self -> inv'1 (view'0 self)) + && ([%#sfuse4] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - = - [%#srange4] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o - /\ (is_empty_log'0 self -> is_empty_log'0 o) - /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) - use seq.Seq + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - constant a : t_RangeInclusive'0 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - constant ab : Seq.seq t_Idx'0 + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - constant b : t_RangeInclusive'0 + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - constant bc : Seq.seq t_Idx'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + + = + [%#sfuse2] match view'0 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self + | C_Some'0 i -> match view'0 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - constant c : t_RangeInclusive'0 + constant self : t_Fuse'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (a : t_RangeInclusive'0) (ab : Seq.seq t_Idx'0) (b : t_RangeInclusive'0) (bc : Seq.seq t_Idx'0) (c : t_RangeInclusive'0) : () - + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () - goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) - -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_refl'0 : [%#sfuse0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self end -module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_refl [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (* as std::iter::Iterator> *) - let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 31 14 31 45 - let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 29 4 29 10 - let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_trans [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (* as std::iter::Iterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_T'0 + type t_I'0 - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - type t_Repeat'0 = - { t_Repeat__element'0: t_T'0 } + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - use prelude.prelude.Int + type t_Item'0 use seq.Seq use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) - - = - [%#srepeat2] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - constant self : t_Repeat'0 + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (self : t_Repeat'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - goal vc_produces_refl'0 : [%#srepeat0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_trans [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (* as std::iter::Iterator> *) - let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 36 15 36 32 - let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 37 15 37 32 - let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 38 14 38 42 - let%span srepeat3 = "../../../creusot-contracts/src/std/iter/repeat.rs" 34 4 34 10 - let%span srepeat4 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end - type t_T'0 + function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 - type t_Repeat'0 = - { t_Repeat__element'0: t_T'0 } + axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse5] inv'0 self -> inv'1 (view'0 self)) + && ([%#sfuse6] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) use seq.Seq - use prelude.prelude.Int + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use seq.Seq + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) - function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) = - [%#srepeat4] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) - - use seq.Seq + [%#sfuse4] match view'0 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self + | C_Some'0 i -> match view'0 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - constant a : t_Repeat'0 + constant a : t_Fuse'0 - constant ab : Seq.seq t_T'0 + constant ab : Seq.seq t_Item'0 - constant b : t_Repeat'0 + constant b : t_Fuse'0 - constant bc : Seq.seq t_T'0 + constant bc : Seq.seq t_Item'0 - constant c : t_Repeat'0 + constant c : t_Fuse'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (a : t_Repeat'0) (ab : Seq.seq t_T'0) (b : t_Repeat'0) (bc : Seq.seq t_T'0) (c : t_Repeat'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () - goal vc_produces_trans'0 : ([%#srepeat1] produces'0 b bc c) - -> ([%#srepeat0] produces'0 a ab b) -> ([%#srepeat2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#sfuse1] produces'0 b bc c) + -> ([%#sfuse0] produces'0 a ab b) -> ([%#sfuse2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_refl [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (* as std::iter::Iterator> *) - let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 73 14 73 45 - let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 71 4 71 10 - let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 - let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 - let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_Item'0 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi7691061398646472980__is_fused [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (* as std::iter::fuse::FusedIterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 63 15 63 31 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 64 15 64 44 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 65 14 65 50 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 61 4 61 10 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 20 12 21 28 + let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 + let%span sfuse7 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 + let%span sfuse8 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 + let%span sfuse9 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 + let%span sfuse10 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 + let%span sfuse11 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 + let%span smodel12 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfuse13 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse14 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 type t_I'0 - use prelude.prelude.UIntSize - - type t_Skip'0 = - { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - use prelude.prelude.Int + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_Item'0 - use prelude.prelude.UIntSize + use seq.Seq - function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + use seq.Seq - axiom n'0_spec : forall self : t_Skip'0 . [%#sskip3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x = match x with - | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + | {t_Fuse__iter'0 = iter} -> inv'1 iter end - function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 + function view'1 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 - axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip4] inv'0 self -> inv'1 (iter'0 self) + axiom view'1_spec : forall self : t_Fuse'0 . ([%#sfuse13] inv'0 self -> inv'1 (view'1 self)) + && ([%#sfuse14] forall other : t_Fuse'0 . view'1 self = view'1 other -> self = other) use seq.Seq predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) + -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use seq.Seq - - use prelude.prelude.Borrow + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + + = + [%#sfuse5] match view'1 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'1 other = view'1 self + | C_Some'0 i -> match view'1 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () = - [%#sskip2] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o - \/ n'0 o = 0 - /\ Seq.length visited > 0 - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self - /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) + [%#sfuse11] () - constant self : t_Skip'0 + axiom produces_trans'0_spec : forall a : t_Fuse'0, ab : Seq.seq t_Item'0, b : t_Fuse'0, bc : Seq.seq t_Item'0, c : t_Fuse'0 . ([%#sfuse8] produces'0 a ab b) + -> ([%#sfuse9] produces'0 b bc c) -> ([%#sfuse10] produces'0 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (self : t_Skip'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () = + [%#sfuse7] () - goal vc_produces_refl'0 : [%#sskip0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_trans [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (* as std::iter::Iterator> *) - let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 78 15 78 32 - let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 79 15 79 32 - let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 80 14 80 42 - let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 76 4 76 10 - let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 - let%span sskip5 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 - let%span sskip6 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom produces_refl'0_spec : forall self : t_Fuse'0 . [%#sfuse6] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - type t_I'0 + use prelude.prelude.Borrow - use prelude.prelude.UIntSize + function view'0 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (t_Fuse'0)) : t_Option'0 = + [%#smodel12] view'1 self.current - type t_Skip'0 = - { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - type t_Item'0 + predicate completed'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 18 4 18 35] (self : borrowed (t_Fuse'0)) = + [%#sfuse4] (view'0 self = C_None'0 + \/ (exists it : borrowed t_I'0 . completed'1 it /\ view'0 self = C_Some'0 (it.current))) + /\ view'1 self.final = C_None'0 - use seq.Seq + constant self : borrowed (t_Fuse'0) - use seq.Seq + constant steps : Seq.seq t_Item'0 - use prelude.prelude.Int + constant next : t_Fuse'0 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function is_fused'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (self : borrowed (t_Fuse'0)) (steps : Seq.seq t_Item'0) (next : t_Fuse'0) : () + - use prelude.prelude.UIntSize + goal vc_is_fused'0 : ([%#sfuse1] produces'0 self.final steps next) + -> ([%#sfuse0] completed'0 self) -> ([%#sfuse2] steps = (Seq.empty : Seq.seq t_Item'0) /\ self.final = next) +end +module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_refl [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (* as std::iter::Iterator> *) + let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 80 14 80 45 + let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 78 4 78 10 + let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 + let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 + let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + use seq.Seq - axiom n'0_spec : forall self : t_Skip'0 . [%#sskip5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + type t_B'0 use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_I'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + type t_F'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + type t_Map'0 = + { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x = match x with - | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f end - function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 - axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip6] inv'0 self -> inv'1 (iter'0 self) + axiom func'0_spec : forall self : t_Map'0 . [%#smap3] inv'0 self -> inv'1 (func'0 self) - use seq.Seq + type t_Item'0 - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - - - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.Borrow - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) + - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () + - use prelude.prelude.Borrow + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops11] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - = - [%#sskip4] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o - \/ n'0 o = 0 - /\ Seq.length visited > 0 - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self - /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - - constant a : t_Skip'0 - - constant ab : Seq.seq t_Item'0 - constant b : t_Skip'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) + -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) - constant bc : Seq.seq t_Item'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - constant c : t_Skip'0 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (a : t_Skip'0) (ab : Seq.seq t_Item'0) (b : t_Skip'0) (bc : Seq.seq t_Item'0) (c : t_Skip'0) : () + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - goal vc_produces_trans'0 : ([%#sskip1] produces'0 b bc c) - -> ([%#sskip0] produces'0 a ab b) -> ([%#sskip2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_refl [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (* as std::iter::Iterator> *) - let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 71 14 71 45 - let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 69 4 69 10 - let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 - let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 - let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) + -> ([%#sops6] unnest'0 self res_state) use seq.Seq - type t_Item'0 - use seq.Seq - type t_I'0 - - use prelude.prelude.UIntSize - - type t_Take'0 = - { t_Take__iter'0: t_I'0; t_Take__n'0: usize } - - use prelude.prelude.Int - - constant v_MAX'0 : usize = (18446744073709551615 : usize) - - use prelude.prelude.UIntSize - - function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int - - axiom n'0_spec : forall self : t_Take'0 . [%#stake3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) - use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x - = match x with - | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter - end + function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 - function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + axiom iter'0_spec : forall self : t_Map'0 . [%#smap4] inv'0 self -> inv'2 (iter'0 self) - axiom iter'0_spec : forall self : t_Take'0 . [%#stake4] inv'0 self -> inv'1 (iter'0 self) + use seq.Seq use seq.Seq @@ -6028,148 +6194,159 @@ module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__prod function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) + -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) - - = - [%#stake2] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - constant self : t_Take'0 + use prelude.prelude.Int - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (self : t_Take'0) : () + use seq.Seq - goal vc_produces_refl'0 : [%#stake0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_trans [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (* as std::iter::Iterator> *) - let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32 - let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 77 15 77 32 - let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 78 14 78 42 - let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 74 4 74 10 - let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 - let%span stake5 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 - let%span stake6 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + use seq.Seq - type t_I'0 + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - use prelude.prelude.UIntSize + use seq.Seq - type t_Take'0 = - { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + + = + [%#smap2] unnest'0 (func'0 self) (func'0 succ) + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited + /\ produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + func'0 self = func'0 succ + else + (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 (func'0 self) (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - type t_Item'0 + constant self : t_Map'0 - use seq.Seq + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (self : t_Map'0) : () - use prelude.prelude.Int + goal vc_produces_refl'0 : [%#smap0] produces'0 self (Seq.empty : Seq.seq t_B'0) self +end +module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_trans [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (* as std::iter::Iterator> *) + let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 85 15 85 32 + let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 86 15 86 32 + let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 87 14 87 42 + let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 83 4 83 10 + let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 + let%span smap5 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 + let%span smap6 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_I'0 - use prelude.prelude.UIntSize + type t_F'0 - function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + type t_Map'0 = + { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } - axiom n'0_spec : forall self : t_Take'0 . [%#stake5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + type t_B'0 use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x = match x with - | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter + | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f end - function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Take'0 . [%#stake6] inv'0 self -> inv'1 (iter'0 self) - - use seq.Seq + function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 - use seq.Seq + axiom func'0_spec : forall self : t_Map'0 . [%#smap5] inv'0 self -> inv'1 (func'0 self) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + type t_Item'0 - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.Borrow - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) + - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - = - [%#stake4] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) - constant a : t_Take'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops13] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - constant ab : Seq.seq t_Item'0 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - constant b : t_Take'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - constant bc : Seq.seq t_Item'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops10] unnest'0 self b) + -> ([%#sops11] unnest'0 b c) -> ([%#sops12] unnest'0 self c) - constant c : t_Take'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (a : t_Take'0) (ab : Seq.seq t_Item'0) (b : t_Take'0) (bc : Seq.seq t_Item'0) (c : t_Take'0) : () + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops9] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - goal vc_produces_trans'0 : ([%#stake1] produces'0 b bc c) - -> ([%#stake0] produces'0 a ab b) -> ([%#stake2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_refl [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (* as std::iter::Iterator> *) - let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45 - let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 53 4 53 10 - let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 - let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 - let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops7] postcondition_mut'0 self args res_state res) + -> ([%#sops8] unnest'0 self res_state) use seq.Seq - type t_Item'0 - - type t_Item'1 + use seq.Seq use seq.Seq - type t_A'0 + use seq.Seq - type t_B'0 + use seq.Seq - use prelude.prelude.UIntSize + function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 - type t_Zip'0 = - { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + axiom iter'0_spec : forall self : t_Map'0 . [%#smap6] inv'0 self -> inv'2 (iter'0 self) use seq.Seq use seq.Seq - use seq.Seq + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use seq.Seq + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter15] produces'1 a ab b) + -> ([%#siter16] produces'1 b bc c) -> ([%#siter17] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter14] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use prelude.prelude.Int @@ -6177,101 +6354,114 @@ module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produc use seq.Seq - use seq.Seq + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + + = + [%#smap4] unnest'0 (func'0 self) (func'0 succ) + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited + /\ produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + func'0 self = func'0 succ + else + (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 (func'0 self) (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x - = match x with - | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a - /\ inv'2 b - end + constant a : t_Map'0 - function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + constant ab : Seq.seq t_B'0 - axiom itera'0_spec : forall self : t_Zip'0 . [%#szip3] inv'0 self -> inv'1 (itera'0 self) + constant b : t_Map'0 - use seq.Seq + constant bc : Seq.seq t_B'0 - use seq.Seq + constant c : t_Map'0 - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (a : t_Map'0) (ab : Seq.seq t_B'0) (b : t_Map'0) (bc : Seq.seq t_B'0) (c : t_Map'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () - + goal vc_produces_trans'0 : ([%#smap1] produces'0 b bc c) + -> ([%#smap0] produces'0 a ab b) -> ([%#smap2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_refl [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - axiom produces_trans'0_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + use seq.Seq - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + type t_B'0 - axiom produces_refl'1_spec : forall self : t_A'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + type t_I'0 - axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip4] inv'0 self -> inv'2 (iterb'0 self) + type t_F'0 - use seq.Seq + type t_Item'0 use seq.Seq - predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) - + use prelude.prelude.Snapshot - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () - + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - axiom produces_trans'1_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter6] produces'2 a ab b) - -> ([%#siter7] produces'2 b bc c) -> ([%#siter8] produces'2 a (Seq.(++) ab bc) c) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + - function produces_refl'2 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + use prelude.prelude.Borrow - axiom produces_refl'2_spec : forall self : t_B'0 . [%#siter5] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - = - [%#szip2] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 - /\ Seq.length p2 = Seq.length visited - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) - /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) - constant self : t_Zip'0 + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (self : t_Zip'0) : () + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - goal vc_produces_refl'0 : [%#szip0] produces'0 self (Seq.empty : Seq.seq (t_Item'0, t_Item'1)) self -end -module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_trans [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (* as std::iter::Iterator> *) - let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32 - let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32 - let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42 - let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 58 4 58 10 - let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 - let%span szip5 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 - let%span szip6 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - type t_A'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - type t_B'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) + -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) - use prelude.prelude.UIntSize + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - type t_Zip'0 = - { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self - type t_Item'0 + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + - type t_Item'1 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) + -> ([%#sops4] unnest'0 self res_state) use seq.Seq @@ -6285,155 +6475,163 @@ module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produc use seq.Seq - use prelude.prelude.Int - - use seq.Seq + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use seq.Seq + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'1 a ab b) + -> ([%#siter12] produces'1 b bc c) -> ([%#siter13] produces'1 a (Seq.(++) ab bc) c) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter10] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + use prelude.prelude.Snapshot - axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x - = match x with - | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a - /\ inv'2 b - end + use prelude.prelude.Snapshot - function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + use prelude.prelude.Int - axiom itera'0_spec : forall self : t_Zip'0 . [%#szip5] inv'0 self -> inv'1 (itera'0 self) + use seq.Seq use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + = + [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - axiom produces_trans'1_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + constant self : t_MapInv'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () - axiom produces_refl'0_spec : forall self : t_A'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + goal vc_produces_refl'0 : [%#smap_inv0] produces'0 self (Seq.empty : Seq.seq t_B'0) self +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_trans [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + type t_I'0 - axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip6] inv'0 self -> inv'2 (iterb'0 self) + type t_F'0 + + type t_Item'0 use seq.Seq + use prelude.prelude.Snapshot + + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + + type t_B'0 + use seq.Seq - predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - function produces_trans'2 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - axiom produces_trans'2_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter8] produces'2 a ab b) - -> ([%#siter9] produces'2 b bc c) -> ([%#siter10] produces'2 a (Seq.(++) ab bc) c) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops11] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - axiom produces_refl'1_spec : forall self : t_B'0 . [%#siter7] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - = - [%#szip4] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 - /\ Seq.length p2 = Seq.length visited - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) - /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) - - use seq.Seq - - constant a : t_Zip'0 - constant ab : Seq.seq (t_Item'0, t_Item'1) - - constant b : t_Zip'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) + -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) - constant bc : Seq.seq (t_Item'0, t_Item'1) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - constant c : t_Zip'0 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (a : t_Zip'0) (ab : Seq.seq (t_Item'0, t_Item'1)) (b : t_Zip'0) (bc : Seq.seq (t_Item'0, t_Item'1)) (c : t_Zip'0) : () + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - goal vc_produces_trans'0 : ([%#szip1] produces'0 b bc c) - -> ([%#szip0] produces'0 a ab b) -> ([%#szip2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_refl [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (* <&mut I as std::iter::Iterator> *) - let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 222 14 222 45 - let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 220 4 220 10 - let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 - let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) + -> ([%#sops6] unnest'0 self res_state) use seq.Seq - type t_Item'0 + use seq.Seq use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - type t_I'0 + use seq.Seq use seq.Seq predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - - - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter4] produces'1 a ab b) - -> ([%#siter5] produces'1 b bc c) -> ([%#siter6] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter3] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - = - [%#siter2] produces'1 self.current visited o.current /\ self.final = o.final - constant self : borrowed t_I'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) + -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (self : borrowed t_I'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - goal vc_produces_refl'0 : [%#siter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_trans [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (* <&mut I as std::iter::Iterator> *) - let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 227 15 227 32 - let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 228 15 228 32 - let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 229 14 229 42 - let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 225 4 225 10 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - use prelude.prelude.Borrow + use prelude.prelude.Snapshot - type t_I'0 + use prelude.prelude.Snapshot - type t_Item'0 + use prelude.prelude.Int use seq.Seq @@ -6441,1050 +6639,889 @@ module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_tr use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use prelude.prelude.Snapshot - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) = - [%#siter4] produces'1 self.current visited o.current /\ self.final = o.final + [%#smap_inv4] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - constant a : borrowed t_I'0 + use seq.Seq - constant ab : Seq.seq t_Item'0 + constant a : t_MapInv'0 - constant b : borrowed t_I'0 + constant ab : Seq.seq t_B'0 - constant bc : Seq.seq t_Item'0 + constant b : t_MapInv'0 - constant c : borrowed t_I'0 + constant bc : Seq.seq t_B'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (a : borrowed t_I'0) (ab : Seq.seq t_Item'0) (b : borrowed t_I'0) (bc : Seq.seq t_Item'0) (c : borrowed t_I'0) : () + constant c : t_MapInv'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () - goal vc_produces_trans'0 : ([%#siter1] produces'0 b bc c) - -> ([%#siter0] produces'0 a ab b) -> ([%#siter2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#smap_inv1] produces'0 b bc c) + -> ([%#smap_inv0] produces'0 a ab b) -> ([%#smap_inv2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_unwrap_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 103 16 105 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 103 43 103 44 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 103 52 103 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 99 26 102 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi5691635635396426195__resolve_coherence [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (* as resolve::Resolve> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 62 15 62 39 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 63 14 63 31 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 60 4 60 23 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 57 8 57 50 - type t_T'0 + use prelude.prelude.Borrow - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_I'0 type t_F'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_B'0 - use prelude.prelude.Borrow + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.Snapshot - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_B'0) } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : Snapshot.snap_ty (Seq.seq t_B'0)) + = + true - axiom inv_axiom'1 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_I'0) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_MapInv'0) = + match _1 with + | {t_MapInv__iter'0 = x0 ; t_MapInv__func'0 = x1 ; t_MapInv__produced'0 = x2} -> resolve'1 x2 + /\ resolve'2 x1 /\ resolve'3 x0 + end - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) - + predicate resolve'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 28] (self : t_MapInv'0) = + [%#smap_inv3] resolve'3 self.t_MapInv__iter'0 /\ resolve'2 self.t_MapInv__func'0 - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_T'0)-> {inv'2 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + constant self : t_MapInv'0 + + function resolve_coherence'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (self : t_MapInv'0) : () - use prelude.prelude.Intrinsic + goal vc_resolve_coherence'0 : ([%#smap_inv0] structural_resolve'0 self) -> ([%#smap_inv1] resolve'0 self) +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4413682431414748756__next [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 90 4 90 44] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 91 39 91 58 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 94 16 94 76 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 95 31 95 71 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 99 38 99 88 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 100 32 100 63 + let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 105 32 105 56 + let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 17 90 21 + let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 26 90 44 + let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 86 14 89 5 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 103 26 106 17 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 162 27 162 52 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 163 26 163 71 + let%span smap_inv12 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 163 15 163 31 + let%span smap_inv13 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 164 4 164 60 + let%span smap_inv14 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 165 15 165 30 + let%span smap_inv15 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 166 15 166 64 + let%span smap_inv16 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 167 14 167 74 + let%span smap_inv17 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 168 14 168 75 + let%span smap_inv18 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 + let%span smap_inv19 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 + let%span smap_inv20 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9 + let%span smap_inv21 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 74 12 76 73 + let%span smap_inv22 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 + let%span smap_inv23 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 + let%span smap_inv24 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 117 12 119 63 + let%span smap_inv25 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sresolve26 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smap_inv27 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv28 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv29 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv30 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv31 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv32 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span siter33 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter34 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter35 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter36 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span sops37 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops38 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops39 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops40 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops41 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops42 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops43 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span smap_inv44 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 153 12 156 47 + let%span smap_inv45 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 + let%span sinvariant46 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Borrow - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + use prelude.prelude.Snapshot - meta "compute_max_steps" 1000000 + type t_I'0 - let rec extern_spec_std_option_T_Option_T_unwrap_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- t ] s4 - | s4 = bb8 ] - - | bb8 = bb9 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb9 - | bb9 = bb10 - | bb10 = bb11 - | bb11 = return' {_0} ] - ) - [ & _0 : t_T'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & _7 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body result type invariant] [%#soption2] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> postcondition_once'0 f () result - | C_Some'0 t -> result = t - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_body [#"../../../creusot-contracts/src/std/option.rs" 131 16 133 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 131 35 131 36 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 123 27 126 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 131 44 131 53 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 127 26 130 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - - type t_T'0 - - type t_Option'1 = - | C_None'0 - | C_Some'0 t_T'0 - - let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] - + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) type t_F'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Item'0 - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + use prelude.prelude.Snapshot - type t_U'0 + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_I'0) = + [%#sinvariant46] inv'0 self.current /\ inv'0 self.final - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_I'0) - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + axiom inv_axiom'2 [@rewrite] : forall x : borrowed t_I'0 [inv'4 x] . inv'4 x = invariant'2 x type t_Option'0 = - | C_None'1 - | C_Some'1 t_U'0 - - use prelude.prelude.Borrow - - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + | C_None'0 + | C_Some'0 t_Item'0 - use prelude.prelude.Intrinsic + predicate inv'9 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Item'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'5 x] . inv'5 x = match x with | C_None'0 -> true - | C_Some'0 a_0 -> inv'5 a_0 + | C_Some'0 a_0 -> inv'9 a_0 end - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'4 a_0 - end + use seq.Seq - meta "compute_max_steps" 1000000 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - let rec extern_spec_std_option_T_Option_T_map_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_map_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_map_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_9 <- (t) ] s2 - | s2 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_7 <- _ret' ] s3) - | s3 = bb7 ] - - | bb7 = bb8 - | bb8 = s0 [ s0 = [ &_0 <- C_Some'1 _7 ] s1 | s1 = bb9 ] - | bb9 = bb10 - | bb10 = bb11 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb11 ] - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'1 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _7 : t_U'0 = any_l () - | & _9 : t_T'0 = any_l () ] + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_map_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'1 - | C_Some'0 t -> exists r : t_U'0 . result = C_Some'1 r /\ postcondition_once'0 f (t) r + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter34] produces'0 a ab b) + -> ([%#siter35] produces'0 b bc c) -> ([%#siter36] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter33] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + + predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + + use seq.Seq + + let rec next'1 (self:borrowed t_I'0) (return' (ret:t_Option'0))= {[@expl:next 'self' type invariant] inv'4 self} + any + [ return' (result:t_Option'0)-> {inv'5 result} + {[%#siter9] match result with + | C_None'0 -> completed'1 self + | C_Some'0 v -> produces'0 self.current (Seq.singleton v) self.final end} (! return' {result}) ] -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_inspect_body [#"../../../creusot-contracts/src/std/option.rs" 149 16 151 33] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 149 36 149 37 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 140 27 143 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 149 45 149 54 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 145 26 148 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - - type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Item'0))= any + [ good (field_0:t_Item'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Item'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - type t_F'0 + use prelude.prelude.Snapshot - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - use prelude.prelude.Borrow + use prelude.prelude.Snapshot - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant6] inv'4 self + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_F'0) = + [%#sinvariant46] inv'1 self.current /\ inv'1 self.final - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_F'0) - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + axiom inv_axiom'4 [@rewrite] : forall x : borrowed t_F'0 [inv'6 x] . inv'6 x = invariant'3 x - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = (let (x0) = x in inv'5 x0) + axiom inv_axiom'5 [@rewrite] : forall x : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) [inv'7 x] . inv'7 x + = (let (x0, x1) = x in inv'9 x0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + type t_B'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : ()) + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:()))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'2 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any [ return' (result:())-> {inv'3 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops43] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'2 res_state) - use prelude.prelude.Intrinsic + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops40] unnest'0 self b) + -> ([%#sops41] unnest'0 b c) -> ([%#sops42] unnest'0 self c) - meta "compute_max_steps" 1000000 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - let rec extern_spec_std_option_T_Option_T_inspect_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = any [ br0 -> {self_ = C_None'0 } (! bb5) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb6) ] - | bb6 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_12 <- t ] s2 - | s2 = [ &_10 <- (_12) ] s3 - | s3 = call_once'0 {f} {_10} (fun (_ret':()) -> [ &_8 <- _ret' ] s4) - | s4 = bb8 ] - - | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] - | bb9 = bb10 - | bb10 = bb11 - | bb5 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb7 ] - | bb7 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb11 ] - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _8 : () = any_l () - | & _10 : t_T'0 = any_l () - | & _12 : t_T'0 = any_l () ] + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops39] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_inspect_body result type invariant] [%#soption3] inv'1 result} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #0] [%#soption0] result = self_} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #1] [%#soption4] match self_ with - | C_None'0 -> true - | C_Some'0 t -> postcondition_once'0 f (t) () - end} + + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops37] postcondition_mut'0 self args res_state res) + -> ([%#sops38] unnest'0 self res_state) + + let rec call_mut'0 (self:borrowed t_F'0) (args:(t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (return' (ret:t_B'0))= {[@expl:call_mut 'self' type invariant] inv'6 self} + {[@expl:call_mut 'args' type invariant] inv'7 args} + {[@expl:call_mut requires] [%#sops10] precondition'0 self.current args} + any + [ return' (result:t_B'0)-> {inv'8 result} + {[%#sops11] postcondition_mut'0 self.current args self.final result} (! return' {result}) ] -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_body [#"../../../creusot-contracts/src/std/option.rs" 166 16 168 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 166 38 166 45 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 166 50 166 51 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 158 27 161 17 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 166 59 166 60 - let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 162 26 165 17 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - type t_T'0 + predicate next_precondition'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 115 4 115 78] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + + = + [%#smap_inv24] forall e : t_Item'0, i : t_I'0 . produces'0 iter (Seq.singleton e) i + -> precondition'0 func (e, Snapshot.new produced) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) + + = + [%#smap_inv45] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new s) + -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - type t_U'0 + predicate reinitialize'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 151 4 151 33] (_1 : ()) = + [%#smap_inv44] forall iter : borrowed t_I'0, func : t_F'0 . completed'1 iter + -> next_precondition'0 iter.final func (Seq.empty : Seq.seq t_Item'0) /\ preservation'0 iter.final func - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + + = + [%#smap_inv23] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) - use prelude.prelude.Borrow + axiom preservation_inv'0_spec : forall iter : t_I'0, func : t_F'0, produced : Seq.seq t_Item'0 . [%#smap_inv22] produced + = (Seq.empty : Seq.seq t_Item'0) -> preservation_inv'0 iter func produced = preservation'0 iter func - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_U'0) + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 72 4 72 30] (self : t_MapInv'0) = + [%#smap_inv21] reinitialize'0 () + /\ preservation_inv'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) + /\ next_precondition'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_one_invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 169 4 169 73] (self : t_MapInv'0) (e : t_Item'0) (r : t_B'0) (f : borrowed t_F'0) (iter : t_I'0) : () - type t_F'0 - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + axiom produces_one_invariant'0_spec : forall self : t_MapInv'0, e : t_Item'0, r : t_B'0, f : borrowed t_F'0, iter : t_I'0 . ([%#smap_inv12] invariant'0 self) + -> ([%#smap_inv13] produces'0 self.t_MapInv__iter'0 (Seq.singleton e) iter) + -> ([%#smap_inv14] f.current = self.t_MapInv__func'0) + -> ([%#smap_inv15] postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final r) + -> ([%#smap_inv16] preservation_inv'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) + && ([%#smap_inv17] next_precondition'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Snapshot - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + use prelude.prelude.Snapshot - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops6] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'0 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] - + use seq.Seq - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - use prelude.prelude.Intrinsic + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + use seq.Seq - meta "compute_max_steps" 1000000 + use seq.Seq - let rec extern_spec_std_option_T_Option_T_map_or_body'0 (self_:t_Option'0) (default:t_U'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'default' type invariant] [%#soption1] inv'0 default} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'f' type invariant] [%#soption2] inv'1 f} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body requires] [%#soption3] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 default} s1 - | s1 = -{resolve'0 default}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_9 <- (t) ] s4 - | s4 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) - | s5 = bb7 ] - - | bb7 = bb8 - | bb8 = bb9 - | bb9 = bb10 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- default ] s1 | s1 = bb10 ] - | bb10 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_U'0 = any_l () - | & self_ : t_Option'0 = self_ - | & default : t_U'0 = default - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _9 : t_T'0 = any_l () ] - - [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_body result type invariant] [%#soption4] inv'0 result} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body ensures] [%#soption5] match self_ with - | C_None'0 -> result = default - | C_Some'0 t -> postcondition_once'0 f (t) result - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 183 16 186 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 183 46 183 53 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 183 58 183 59 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 175 27 178 17 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 183 67 183 68 - let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 179 26 182 17 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + use prelude.prelude.Snapshot - type t_T'0 + use prelude.prelude.Int - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - type t_D'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_D'0) + use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_D'0) + predicate produces'1 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + + = + [%#smap_inv25] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'0 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + = + [%#smap_inv32] () - type t_F'0 + axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv29] produces'1 a ab b) + -> ([%#smap_inv30] produces'1 b bc c) -> ([%#smap_inv31] produces'1 a (Seq.(++) ab bc) c) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = + [%#smap_inv28] () - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv27] produces'1 self (Seq.empty : Seq.seq t_B'0) self - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) + + = + [%#smap_inv19] exists f : borrowed t_F'0, e : t_Item'0 . f.current = self.t_MapInv__func'0 + /\ f.final = succ.t_MapInv__func'0 + /\ produces'0 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e + /\ precondition'0 f.current (e, self.t_MapInv__produced'0) + /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = (let (x0) = x in inv'6 x0) + axiom produces_one'0_spec : forall self : t_MapInv'0, visited : t_B'0, succ : t_MapInv'0 . [%#smap_inv18] produces_one'0 self visited succ + = produces'1 self (Seq.singleton visited) succ - predicate precondition'1 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + predicate inv'10 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_MapInv'0) - type t_U'0 + axiom inv_axiom'6 [@rewrite] : forall x : t_MapInv'0 [inv'10 x] . inv'10 x + = (invariant'0 x + /\ match x with + | {t_MapInv__iter'0 = iter ; t_MapInv__func'0 = func ; t_MapInv__produced'0 = produced} -> inv'0 iter /\ inv'1 func + end) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_MapInv'0)) = + [%#sinvariant46] inv'10 self.current /\ inv'10 self.final - predicate postcondition_once'1 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_MapInv'0)) - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'4 args} - {[@expl:call_once requires] [%#sops6] precondition'1 self args} - any - [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'1 self args result} (! return' {result}) ] - + axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_MapInv'0) [inv'2 x] . inv'2 x = invariant'1 x - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_MapInv'0)) = + [%#sresolve26] self.final = self.current - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_MapInv'0)) = + resolve'1 _1 - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true - - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_D'0) (args : ()) + type t_Option'1 = + | C_None'1 + | C_Some'1 t_B'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_D'0) (args : ()) (result : t_U'0) - + use prelude.prelude.Intrinsic - let rec call_once'1 (self:t_D'0) (args:()) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops6] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] - + use prelude.prelude.Snapshot - use prelude.prelude.Intrinsic + use prelude.prelude.Snapshot - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'1 [inv'3 x] . inv'3 x = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'6 a_0 + | C_None'1 -> true + | C_Some'1 a_0 -> inv'8 a_0 end + predicate completed'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 14 4 14 35] (self : borrowed (t_MapInv'0)) + + = + [%#smap_inv20] Snapshot.inner (self.final).t_MapInv__produced'0 = (Seq.empty : Seq.seq t_Item'0) + /\ completed'1 (Borrow.borrow_logic (self.current).t_MapInv__iter'0 (self.final).t_MapInv__iter'0 (Borrow.inherit_id (Borrow.get_id self) 1)) + /\ (self.current).t_MapInv__func'0 = (self.final).t_MapInv__func'0 + meta "compute_max_steps" 1000000 - let rec extern_spec_std_option_T_Option_T_map_or_else_body'0 (self_:t_Option'0) (default:t_D'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'default' type invariant] [%#soption1] inv'0 default} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'f' type invariant] [%#soption2] inv'1 f} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body requires] [%#soption3] match self_ with - | C_None'0 -> precondition'0 default () - | C_Some'0 t -> precondition'1 f (t) - end} + let rec next'0 (self:borrowed (t_MapInv'0)) (return' (ret:t_Option'1))= {[@expl:next 'self' type invariant] [%#smap_inv6] inv'2 self} (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 default} s1 - | s1 = -{resolve'0 default}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_11 <- (t) ] s4 - | s4 = call_once'0 {f} {_11} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) - | s5 = bb8 ] + [ bb0 = s0 [ s0 = [ &old_self <- [%#smap_inv0] Snapshot.new self.current ] s1 | s1 = bb1 ] + | bb1 = s0 + [ s0 = {inv'0 (self.current).t_MapInv__iter'0} + Borrow.borrow_final {(self.current).t_MapInv__iter'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_I'0) -> + [ &_6 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { self.current with t_MapInv__iter'0 = _ret'.final } } ] + s1) + | s1 = next'1 {_6} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s2) + | s2 = bb2 ] + + | bb2 = any [ br0 -> {_5 = C_None'0 } (! bb5) | br1 (x0:t_Item'0)-> {_5 = C_Some'0 x0} (! bb4) ] + | bb4 = bb6 + | bb6 = s0 + [ s0 = v_Some'0 {_5} (fun (r0'0:t_Item'0) -> [ &v <- r0'0 ] s1) + | s1 = {[@expl:assertion] [%#smap_inv1] precondition'0 (self.current).t_MapInv__func'0 (v, (self.current).t_MapInv__produced'0)} + s2 + | s2 = bb7 ] + + | bb7 = s0 + [ s0 = + [ &produced <- [%#smap_inv2] Snapshot.new (Seq.snoc (Snapshot.inner (self.current).t_MapInv__produced'0) v) ] + + s1 + | s1 = bb8 ] + + | bb8 = s0 + [ s0 = {inv'1 (self.current).t_MapInv__func'0} + Borrow.borrow_final {(self.current).t_MapInv__func'0} {Borrow.inherit_id (Borrow.get_id self) 2} + (fun (_ret':borrowed t_F'0) -> + [ &_14 <- _ret' ] + -{inv'1 _ret'.final}- + [ &self <- { self with current = { self.current with t_MapInv__func'0 = _ret'.final } } ] + s1) + | s1 = [ &_15 <- (v, (self.current).t_MapInv__produced'0) ] s2 + | s2 = call_mut'0 {_14} {_15} (fun (_ret':t_B'0) -> [ &r <- _ret' ] s3) + | s3 = bb9 ] - | bb8 = bb9 | bb9 = bb10 - | bb10 = bb11 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = call_once'1 {default} {_8} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb11 - | bb11 = bb12 - | bb12 = bb13 + | bb10 = s0 + [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = produced } } ] s1 + | s1 = [ &_19 <- [%#smap_inv3] Snapshot.new (let _ = () in ()) ] s2 + | s2 = bb11 ] + + | bb11 = s0 + [ s0 = {[@expl:assertion] [%#smap_inv4] produces_one'0 (Snapshot.inner old_self) r self.current} s1 | s1 = bb12 ] + + | bb12 = s0 + [ s0 = {[@expl:type invariant] inv'2 self} s1 + | s1 = -{resolve'0 self}- s2 + | s2 = [ &_0 <- C_Some'1 r ] s3 + | s3 = bb13 ] + | bb13 = bb14 - | bb14 = return' {_0} ] + | bb14 = bb15 + | bb15 = bb17 + | bb5 = s0 [ s0 = [ &_24 <- [%#smap_inv5] Snapshot.new (Seq.empty : Seq.seq t_Item'0) ] s1 | s1 = bb16 ] + | bb16 = s0 + [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = _24 } } ] s1 + | s1 = {[@expl:type invariant] inv'2 self} s2 + | s2 = -{resolve'0 self}- s3 + | s3 = [ &_0 <- C_None'1 ] s4 + | s4 = bb17 ] + + | bb17 = bb18 + | bb18 = return' {_0} ] ) - [ & _0 : t_U'0 = any_l () - | & self_ : t_Option'0 = self_ - | & default : t_D'0 = default - | & f : t_F'0 = f - | & _8 : () = any_l () - | & t : t_T'0 = any_l () - | & _11 : t_T'0 = any_l () ] + [ & _0 : t_Option'1 = any_l () + | & self : borrowed (t_MapInv'0) = self + | & old_self : Snapshot.snap_ty (t_MapInv'0) = any_l () + | & _5 : t_Option'0 = any_l () + | & _6 : borrowed t_I'0 = any_l () + | & v : t_Item'0 = any_l () + | & produced : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () + | & r : t_B'0 = any_l () + | & _14 : borrowed t_F'0 = any_l () + | & _15 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) = any_l () + | & _19 : Snapshot.snap_ty () = any_l () + | & _24 : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () ] - [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body result type invariant] [%#soption4] inv'3 result} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body ensures] [%#soption5] match self_ with - | C_None'0 -> postcondition_once'0 default () result - | C_Some'0 t -> postcondition_once'1 f (t) result + [ return' (result:t_Option'1)-> {[@expl:next result type invariant] [%#smap_inv7] inv'3 result} + {[@expl:next ensures] [%#smap_inv8] match result with + | C_None'1 -> completed'0 self + | C_Some'1 v -> produces_one'0 self.current v self.final end} (! return' {result}) ] end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_ok_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 204 16 206 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 204 42 204 45 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 204 53 204 65 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 200 26 203 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__preservation_inv [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (* std::iter::map_inv::MapInv::Item, F> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 + let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_T'0 + use seq.Seq - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_Item'0 - type t_F'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_I'0 + + type t_F'0 use prelude.prelude.Borrow + type t_B'0 + + use prelude.prelude.Snapshot + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - type t_E'0 + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - type t_Result'0 = - | C_Ok'0 t_T'0 - | C_Err'0 t_E'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) + -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_E'0) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_E'0) - + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_E'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_E'0)-> {inv'4 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - use prelude.prelude.Intrinsic + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) + -> ([%#sops4] unnest'0 self res_state) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'5 a_0 - end + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Result'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - axiom inv_axiom'1 [@rewrite] : forall x : t_Result'0 [inv'2 x] . inv'2 x - = match x with - | C_Ok'0 a_0 -> inv'5 a_0 - | C_Err'0 a_0 -> inv'4 a_0 - end + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'0 a ab b) + -> ([%#siter12] produces'0 b bc c) -> ([%#siter13] produces'0 a (Seq.(++) ab bc) c) - meta "compute_max_steps" 1000000 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - let rec extern_spec_std_option_T_Option_T_ok_or_else_body'0 (self_:t_Option'0) (err:t_F'0) (return' (ret:t_Result'0))= {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'err' type invariant] [%#soption1] inv'0 err} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 err ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 err} s1 - | s1 = -{resolve'0 err}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- C_Ok'0 t ] s4 - | s4 = bb9 ] - - | bb9 = bb10 - | bb10 = bb11 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {err} {_8} (fun (_ret':t_E'0) -> [ &_6 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = s0 [ s0 = [ &_0 <- C_Err'0 _6 ] s1 | s1 = bb8 ] - | bb8 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Result'0 = any_l () - | & self_ : t_Option'0 = self_ - | & err : t_F'0 = err - | & _6 : t_E'0 = any_l () - | & _8 : () = any_l () - | & t : t_T'0 = any_l () ] + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter10] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - [ return' (result:t_Result'0)-> {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body result type invariant] [%#soption2] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> exists r : t_E'0 . result = C_Err'0 r /\ postcondition_once'0 err () r - | C_Some'0 t -> result = C_Ok'0 t - end} - (! return' {result}) ] + + predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_and_then_body [#"../../../creusot-contracts/src/std/option.rs" 234 16 236 45] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 234 40 234 41 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 226 27 229 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 234 49 234 58 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 230 26 233 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + = + [%#smap_inv2] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new s) + -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - type t_T'0 + constant iter : t_I'0 - type t_Option'1 = - | C_None'0 - | C_Some'0 t_T'0 + constant func : t_F'0 - let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + constant produced : Seq.seq t_Item'0 + + predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - type t_F'0 + goal vc_preservation_inv'0 : [%#smap_inv0] produced = (Seq.empty : Seq.seq t_Item'0) + -> ([%#smap_inv1] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) + = preservation'0 iter func +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__produces_one [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (* std::iter::map_inv::MapInv::Item, F> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops15 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops16 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops17 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops18 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops19 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_I'0 - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + type t_F'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + type t_Item'0 - type t_U'0 + use seq.Seq - type t_Option'0 = - | C_None'1 - | C_Some'1 t_U'0 + use prelude.prelude.Snapshot - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + type t_B'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'5 a_0 - end + use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_Option'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_Option'0)-> {inv'2 result} - {[%#sops5] postcondition_once'0 self args result} - (! return' {result}) ] + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) use prelude.prelude.Borrow predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - use prelude.prelude.Intrinsic + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops19] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - meta "compute_max_steps" 1000000 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - let rec extern_spec_std_option_T_Option_T_and_then_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_8 <- (t) ] s2 - | s2 = call_once'0 {f} {_8} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s3) - | s3 = bb7 ] - - | bb7 = bb8 - | bb8 = bb9 - | bb9 = bb10 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb10 ] - | bb10 = bb11 - | bb11 = bb12 - | bb12 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'1 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _8 : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_and_then_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'1 - | C_Some'0 t -> postcondition_once'0 f (t) result - end} - (! return' {result}) ] + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_filter_body [#"../../../creusot-contracts/src/std/option.rs" 254 16 256 41] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 254 35 254 44 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 243 27 246 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 254 52 254 61 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 247 26 253 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - type t_T'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops16] unnest'0 self b) + -> ([%#sops17] unnest'0 b c) -> ([%#sops18] unnest'0 self c) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops15] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - type t_P'0 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops13] postcondition_mut'0 self args res_state res) + -> ([%#sops14] unnest'0 self res_state) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant6] inv'0 self + use seq.Seq - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + use seq.Seq - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : t_T'0) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter10] produces'1 a ab b) + -> ([%#siter11] produces'1 b bc c) -> ([%#siter12] produces'1 a (Seq.(++) ab bc) c) - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom inv_axiom'2 [@rewrite] : forall x : bool [inv'4 x] . inv'4 x = true + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter9] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : t_T'0) (result : bool) - + use prelude.prelude.Snapshot - let rec call_once'0 (self:t_P'0) (args:t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:bool)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + use prelude.prelude.Snapshot - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + use prelude.prelude.Int - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + use seq.Seq - use prelude.prelude.Intrinsic + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'0 a_0 - end + use prelude.prelude.Snapshot - meta "compute_max_steps" 1000000 + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + - let rec extern_spec_std_option_T_Option_T_filter_body'0 (self_:t_Option'0) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_filter_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_filter_body 'predicate' type invariant] [%#soption1] inv'1 predicate'} - {[@expl:extern_spec_std_option_T_Option_T_filter_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 predicate' (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_11 <- t ] s2 - | s2 = [ &_9 <- (_11) ] s3 - | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) - | s4 = bb7 ] - - | bb7 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] - | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] - | bb9 = bb12 - | bb10 = s0 [ s0 = {[@expl:type invariant] inv'0 t} s1 | s1 = -{resolve'0 t}- s2 | s2 = bb11 ] - | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] - | bb12 = bb13 - | bb13 = bb14 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 predicate'} s1 | s1 = -{resolve'1 predicate'}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb14 ] - | bb14 = bb15 - | bb15 = bb16 - | bb16 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & predicate' : t_P'0 = predicate' - | & t : t_T'0 = any_l () - | & _7 : bool = any_l () - | & _9 : t_T'0 = any_l () - | & _11 : t_T'0 = any_l () ] + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_filter_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_filter_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'0 - | C_Some'0 t -> match result with - | C_None'0 -> postcondition_once'0 predicate' (t) false /\ resolve'0 t - | C_Some'0 r -> postcondition_once'0 predicate' (t) true /\ r = t - end - end} - (! return' {result}) ] + = + [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 273 16 275 44] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 273 36 273 37 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 273 45 273 54 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 269 26 272 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + = + [%#smap_inv8] () - type t_T'0 + axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv5] produces'0 a ab b) + -> ([%#smap_inv6] produces'0 b bc c) -> ([%#smap_inv7] produces'0 a (Seq.(++) ab bc) c) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = + [%#smap_inv4] () - type t_F'0 + axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv3] produces'0 self (Seq.empty : Seq.seq t_B'0) self - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + constant self : t_MapInv'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + constant visited : t_B'0 + + constant succ : t_MapInv'0 + + predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + goal vc_produces_one'0 : [%#smap_inv0] ([%#smap_inv1] exists f : borrowed t_F'0, e : t_Item'0 . f.current + = self.t_MapInv__func'0 + /\ f.final = succ.t_MapInv__func'0 + /\ produces'1 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e + /\ precondition'0 f.current (e, self.t_MapInv__produced'0) + /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited) + = produces'0 self (Seq.singleton visited) succ +end +module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_refl [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (* as std::iter::Iterator> *) + let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 31 14 31 45 + let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 29 4 29 10 + let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 - axiom inv_axiom'1 [@rewrite] : forall x : () [inv'2 x] . inv'2 x = true + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + type t_T'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'3 a_0 - end + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_Option'0) - + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'2 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_Option'0)-> {inv'1 result} - {[%#sops4] postcondition_once'0 self args result} - (! return' {result}) ] - + type t_Once'0 = + { t_Once__inner'0: t_IntoIter'0 } - use prelude.prelude.Intrinsic + function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - meta "compute_max_steps" 1000000 + use seq.Seq - let rec extern_spec_std_option_T_Option_T_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- C_Some'0 t ] s4 - | s4 = bb8 ] - - | bb8 = bb9 - | bb9 = bb10 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb10 - | bb10 = bb11 - | bb11 = bb12 - | bb12 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & _7 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_or_else_body result type invariant] [%#soption2] inv'1 result} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> postcondition_once'0 f () result - | C_Some'0 t -> result = C_Some'0 t - end} - (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + = + [%#sonce2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + constant self : t_Once'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (self : t_Once'0) : () + + goal vc_produces_refl'0 : [%#sonce0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_get_or_insert_with_body [#"../../../creusot-contracts/src/std/option.rs" 311 16 313 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 311 52 311 53 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 306 27 306 63 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 311 61 311 67 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 307 26 310 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span soption6 = "../../../creusot-contracts/src/std/option.rs" 62 26 62 75 - let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 64 20 65 100 - let%span sresolve8 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sresolve9 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - let%span sinvariant10 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 +module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_trans [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (* as std::iter::Iterator> *) + let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 36 15 36 32 + let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 37 15 37 32 + let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 38 14 38 42 + let%span sonce3 = "../../../creusot-contracts/src/std/iter/once.rs" 34 4 34 10 + let%span sonce4 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 type t_T'0 @@ -7492,3592 +7529,6917 @@ module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T | C_None'0 | C_Some'0 t_T'0 - type t_F'0 + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - use prelude.prelude.Borrow + type t_Once'0 = + { t_Once__inner'0: t_IntoIter'0 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant10] inv'1 self.current /\ inv'1 self.final + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + + = + [%#sonce4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + use seq.Seq - predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve8] self.final = self.current + constant a : t_Once'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'4 _1 + constant ab : Seq.seq t_T'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + constant b : t_Once'0 - axiom inv_axiom'3 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + constant bc : Seq.seq t_T'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + constant c : t_Once'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (a : t_Once'0) (ab : Seq.seq t_T'0) (b : t_Once'0) (bc : Seq.seq t_T'0) (c : t_Once'0) : () - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_T'0)-> {inv'1 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + goal vc_produces_trans'0 : ([%#sonce1] produces'0 b bc c) + -> ([%#sonce0] produces'0 a ab b) -> ([%#sonce2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 30 4 30 10 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'1 a_0 - end + type t_Idx'0 - predicate resolve'7 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + use seq.Seq - predicate resolve'5 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = - [%#sresolve9] match self with - | C_Some'0 x -> resolve'7 x - | C_None'0 -> true - end + type t_Range'0 = + { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Option'0) = - resolve'5 _1 + use prelude.prelude.Int - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = - [%#sinvariant10] inv'3 self.current /\ inv'3 self.final + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + use seq.Seq - axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'4 x] . inv'4 x = invariant'1 x + use seq.Seq - type t_Option'1 = - | C_None'1 - | C_Some'1 (borrowed t_T'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + + = + [%#srange2] self.t_Range__end'0 = o.t_Range__end'0 + /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 + /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) + /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + constant self : t_Range'0 - axiom inv_axiom'4 [@rewrite] : forall x : t_Option'1 [inv'6 x] . inv'6 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'2 a_0 - end + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (self : t_Range'0) : () - let rec as_mut'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'1))= {[@expl:as_mut 'self' type invariant] inv'4 self} - any - [ return' (result:t_Option'1)-> {inv'6 result} - {[%#soption6] self.current = C_None'0 -> result = C_None'1 /\ self.final = C_None'0} - {[%#soption7] self.current = C_None'0 - \/ (exists r : borrowed t_T'0 . result = C_Some'1 r - /\ self.current = C_Some'0 (r.current) /\ self.final = C_Some'0 (r.final))} - (! return' {result}) ] - + goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 35 4 35 10 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - let rec unwrap'0 (self:t_Option'1) (return' (ret:borrowed t_T'0))= {[@expl:unwrap 'self' type invariant] inv'6 self} - {[@expl:unwrap requires] [%#soption0] self <> C_None'1} - any [ return' (result:borrowed t_T'0)-> {inv'2 result} {[%#soption0] C_Some'1 result = self} (! return' {result}) ] + type t_Idx'0 - predicate resolve'6 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = - [%#sresolve8] self.final = self.current + type t_Range'0 = + { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = - resolve'6 _1 + use seq.Seq - use prelude.prelude.Intrinsic + use prelude.prelude.Int - meta "compute_max_steps" 1000000 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - let rec extern_spec_std_option_T_Option_T_get_or_insert_with_body'0 (self_:borrowed (t_Option'0)) (f:t_F'0) (return' (ret:borrowed t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'self_' type invariant] [%#soption0] inv'4 self_} - {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body requires] [%#soption2] self_.current = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_.current} - (fun (r0'0:t_T'0) -> - {inv'1 r0'0} - Borrow.borrow_final {r0'0} {Borrow.inherit_id (Borrow.get_id self_) 1} - (fun (_ret':borrowed t_T'0) -> - [ &t <- _ret' ] - -{inv'1 _ret'.final}- - [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] - s3)) - | s3 = {inv'1 t.current} - Borrow.borrow_final {t.current} {Borrow.get_id t} - (fun (_ret':borrowed t_T'0) -> - [ &_6 <- _ret' ] - -{inv'1 _ret'.final}- - [ &t <- { t with current = _ret'.final } ] - s4) - | s4 = {[@expl:type invariant] inv'2 t} s5 - | s5 = -{resolve'1 t}- s6 - | s6 = bb14 ] - - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_12} (fun (_ret':t_T'0) -> [ &_10 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = s0 [ s0 = [ &_9 <- C_Some'0 _10 ] s1 | s1 = bb8 ] - | bb8 = bb9 - | bb9 = s0 - [ s0 = {[@expl:type invariant] match self_ with - | {current = x'0} -> inv'3 x'0 - | _ -> true - end} - s1 - | s1 = -{match self_ with - | {current = x'1} -> resolve'2 x'1 - | _ -> true - end}- - s2 - | s2 = [ &self_ <- { self_ with current = _9 } ] s3 - | s3 = bb11 ] - - | bb11 = s0 - [ s0 = {inv'3 self_.current} - Borrow.borrow_final {self_.current} {Borrow.get_id self_} - (fun (_ret':borrowed (t_Option'0)) -> - [ &_15 <- _ret' ] - -{inv'3 _ret'.final}- - [ &self_ <- { self_ with current = _ret'.final } ] - s1) - | s1 = as_mut'0 {_15} (fun (_ret':t_Option'1) -> [ &_14 <- _ret' ] s2) - | s2 = bb12 ] - - | bb12 = s0 [ s0 = unwrap'0 {_14} (fun (_ret':borrowed t_T'0) -> [ &_13 <- _ret' ] s1) | s1 = bb13 ] - | bb13 = s0 - [ s0 = {inv'1 _13.current} - Borrow.borrow_final {_13.current} {Borrow.get_id _13} - (fun (_ret':borrowed t_T'0) -> - [ &_8 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_13 <- { _13 with current = _ret'.final } ] - s1) - | s1 = {inv'1 _8.current} - Borrow.borrow_final {_8.current} {Borrow.get_id _8} - (fun (_ret':borrowed t_T'0) -> - [ &_6 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_8 <- { _8 with current = _ret'.final } ] - s2) - | s2 = {[@expl:type invariant] inv'2 _13} s3 - | s3 = -{resolve'1 _13}- s4 - | s4 = {[@expl:type invariant] inv'2 _8} s5 - | s5 = -{resolve'1 _8}- s6 - | s6 = bb14 ] - - | bb14 = s0 - [ s0 = {inv'1 _6.current} - Borrow.borrow_final {_6.current} {Borrow.get_id _6} - (fun (_ret':borrowed t_T'0) -> - [ &_3 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_6 <- { _6 with current = _ret'.final } ] - s1) - | s1 = {inv'1 _3.current} - Borrow.borrow_final {_3.current} {Borrow.get_id _3} - (fun (_ret':borrowed t_T'0) -> - [ &_0 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_3 <- { _3 with current = _ret'.final } ] - s2) - | s2 = {[@expl:type invariant] inv'2 _6} s3 - | s3 = -{resolve'1 _6}- s4 - | s4 = {[@expl:type invariant] inv'2 _3} s5 - | s5 = -{resolve'1 _3}- s6 - | s6 = bb15 ] - - | bb15 = s0 [ s0 = {[@expl:type invariant] inv'4 self_} s1 | s1 = -{resolve'3 self_}- s2 | s2 = return' {_0} ] ] - ) - [ & _0 : borrowed t_T'0 = any_l () - | & self_ : borrowed (t_Option'0) = self_ - | & f : t_F'0 = f - | & _3 : borrowed t_T'0 = any_l () - | & _6 : borrowed t_T'0 = any_l () - | & _8 : borrowed t_T'0 = any_l () - | & _9 : t_Option'0 = any_l () - | & _10 : t_T'0 = any_l () - | & _12 : () = any_l () - | & _13 : borrowed t_T'0 = any_l () - | & _14 : t_Option'1 = any_l () - | & _15 : borrowed (t_Option'0) = any_l () - | & t : borrowed t_T'0 = any_l () ] + use seq.Seq + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) - [ return' (result:borrowed t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body ensures] [%#soption4] match self_.current with - | C_None'0 -> postcondition_once'0 f () result.current /\ self_.final = C_Some'0 (result.final) - | C_Some'0 _ -> self_.current = C_Some'0 (result.current) /\ self_.final = C_Some'0 (result.final) - end} - (! return' {result}) ] + = + [%#srange4] self.t_Range__end'0 = o.t_Range__end'0 + /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 + /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) + /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) + + use seq.Seq + + constant a : t_Range'0 + + constant ab : Seq.seq t_Idx'0 + + constant b : t_Range'0 + + constant bc : Seq.seq t_Idx'0 + + constant c : t_Range'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (a : t_Range'0) (ab : Seq.seq t_Idx'0) (b : t_Range'0) (bc : Seq.seq t_Idx'0) (c : t_Range'0) : () + + goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) + -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_take_if_body [#"../../../creusot-contracts/src/std/option.rs" 338 16 340 45] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 338 41 338 50 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 324 27 327 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 338 58 338 67 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 328 26 337 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__range__range_inclusive_len [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span sops1 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + + type t_Idx'0 + + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + + use prelude.prelude.Int + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops1] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + + constant r : t_RangeInclusive'0 + + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + + + goal vc_range_inclusive_len'0 : ([%#sops1] not is_empty_log'0 r + -> deep_model'0 (start_log'0 r) <= deep_model'0 (end_log'0 r)) + -> (if is_empty_log'0 r then + [%#srange0] is_empty_log'0 r = (0 = 0) + else + [%#srange0] is_empty_log'0 r = (deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 = 0) + ) +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + + use seq.Seq + + type t_Idx'0 + + use seq.Seq + + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + + use seq.Seq + + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + + use prelude.prelude.Int + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops5] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + + = + [%#srange4] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + + axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange3] is_empty_log'0 r + = (range_inclusive_len'0 r = 0) + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + + = + [%#srange2] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o + /\ (is_empty_log'0 self -> is_empty_log'0 o) + /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) + + constant self : t_RangeInclusive'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (self : t_RangeInclusive'0) : () + + + goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 79 4 79 10 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 + let%span srange5 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span srange6 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + + type t_Idx'0 + + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + + use seq.Seq + + use seq.Seq + + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + + use prelude.prelude.Int + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops7] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + + = + [%#srange6] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + + axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange5] is_empty_log'0 r + = (range_inclusive_len'0 r = 0) + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + + = + [%#srange4] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o + /\ (is_empty_log'0 self -> is_empty_log'0 o) + /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) + + use seq.Seq + + constant a : t_RangeInclusive'0 + + constant ab : Seq.seq t_Idx'0 + + constant b : t_RangeInclusive'0 + + constant bc : Seq.seq t_Idx'0 + + constant c : t_RangeInclusive'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (a : t_RangeInclusive'0) (ab : Seq.seq t_Idx'0) (b : t_RangeInclusive'0) (bc : Seq.seq t_Idx'0) (c : t_RangeInclusive'0) : () + + + goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) + -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_refl [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (* as std::iter::Iterator> *) + let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 31 14 31 45 + let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 29 4 29 10 + let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + + use seq.Seq + + type t_T'0 + + use seq.Seq + + type t_Repeat'0 = + { t_Repeat__element'0: t_T'0 } + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + + = + [%#srepeat2] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) + + constant self : t_Repeat'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (self : t_Repeat'0) : () + + goal vc_produces_refl'0 : [%#srepeat0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_trans [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (* as std::iter::Iterator> *) + let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 36 15 36 32 + let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 37 15 37 32 + let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 38 14 38 42 + let%span srepeat3 = "../../../creusot-contracts/src/std/iter/repeat.rs" 34 4 34 10 + let%span srepeat4 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + + type t_T'0 + + type t_Repeat'0 = + { t_Repeat__element'0: t_T'0 } + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + + = + [%#srepeat4] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) + + use seq.Seq + + constant a : t_Repeat'0 + + constant ab : Seq.seq t_T'0 + + constant b : t_Repeat'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_Repeat'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (a : t_Repeat'0) (ab : Seq.seq t_T'0) (b : t_Repeat'0) (bc : Seq.seq t_T'0) (c : t_Repeat'0) : () + + + goal vc_produces_trans'0 : ([%#srepeat1] produces'0 b bc c) + -> ([%#srepeat0] produces'0 a ab b) -> ([%#srepeat2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_refl [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (* as std::iter::Iterator> *) + let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 73 14 73 45 + let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 71 4 71 10 + let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 + let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 + let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + use seq.Seq + + type t_I'0 + + use prelude.prelude.UIntSize + + type t_Skip'0 = + { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + + use prelude.prelude.Int + + constant v_MAX'0 : usize = (18446744073709551615 : usize) + + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + + axiom n'0_spec : forall self : t_Skip'0 . [%#sskip3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip4] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + use seq.Seq + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + + = + [%#sskip2] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o + \/ n'0 o = 0 + /\ Seq.length visited > 0 + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self + /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) + + constant self : t_Skip'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (self : t_Skip'0) : () + + goal vc_produces_refl'0 : [%#sskip0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_trans [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (* as std::iter::Iterator> *) + let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 78 15 78 32 + let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 79 15 79 32 + let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 80 14 80 42 + let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 76 4 76 10 + let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 + let%span sskip5 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 + let%span sskip6 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_I'0 + + use prelude.prelude.UIntSize + + type t_Skip'0 = + { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + + type t_Item'0 + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + constant v_MAX'0 : usize = (18446744073709551615 : usize) + + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + + axiom n'0_spec : forall self : t_Skip'0 . [%#sskip5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip6] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + use seq.Seq + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + + = + [%#sskip4] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o + \/ n'0 o = 0 + /\ Seq.length visited > 0 + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self + /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) + + constant a : t_Skip'0 + + constant ab : Seq.seq t_Item'0 + + constant b : t_Skip'0 + + constant bc : Seq.seq t_Item'0 + + constant c : t_Skip'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (a : t_Skip'0) (ab : Seq.seq t_Item'0) (b : t_Skip'0) (bc : Seq.seq t_Item'0) (c : t_Skip'0) : () + + + goal vc_produces_trans'0 : ([%#sskip1] produces'0 b bc c) + -> ([%#sskip0] produces'0 a ab b) -> ([%#sskip2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_refl [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (* as std::iter::Iterator> *) + let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 71 14 71 45 + let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 69 4 69 10 + let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 + let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 + let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + use seq.Seq + + type t_I'0 + + use prelude.prelude.UIntSize + + type t_Take'0 = + { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + + use prelude.prelude.Int + + constant v_MAX'0 : usize = (18446744073709551615 : usize) + + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + + axiom n'0_spec : forall self : t_Take'0 . [%#stake3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x + = match x with + | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Take'0 . [%#stake4] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + + = + [%#stake2] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) + + constant self : t_Take'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (self : t_Take'0) : () + + goal vc_produces_refl'0 : [%#stake0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_trans [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (* as std::iter::Iterator> *) + let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32 + let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 77 15 77 32 + let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 78 14 78 42 + let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 74 4 74 10 + let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 + let%span stake5 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 + let%span stake6 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_I'0 + + use prelude.prelude.UIntSize + + type t_Take'0 = + { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + + type t_Item'0 + + use seq.Seq + + use prelude.prelude.Int + + constant v_MAX'0 : usize = (18446744073709551615 : usize) + + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + + axiom n'0_spec : forall self : t_Take'0 . [%#stake5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x + = match x with + | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Take'0 . [%#stake6] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + + = + [%#stake4] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) + + constant a : t_Take'0 + + constant ab : Seq.seq t_Item'0 + + constant b : t_Take'0 + + constant bc : Seq.seq t_Item'0 + + constant c : t_Take'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (a : t_Take'0) (ab : Seq.seq t_Item'0) (b : t_Take'0) (bc : Seq.seq t_Item'0) (c : t_Take'0) : () + + + goal vc_produces_trans'0 : ([%#stake1] produces'0 b bc c) + -> ([%#stake0] produces'0 a ab b) -> ([%#stake2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_refl [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (* as std::iter::Iterator> *) + let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45 + let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 53 4 53 10 + let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 + let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 + let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + type t_Item'1 + + use seq.Seq + + type t_A'0 + + type t_B'0 + + use prelude.prelude.UIntSize + + type t_Zip'0 = + { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a + /\ inv'2 b + end + + function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + + axiom itera'0_spec : forall self : t_Zip'0 . [%#szip3] inv'0 self -> inv'1 (itera'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + + + axiom produces_trans'0_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + + axiom produces_refl'1_spec : forall self : t_A'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + + axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip4] inv'0 self -> inv'2 (iterb'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + + + axiom produces_trans'1_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter6] produces'2 a ab b) + -> ([%#siter7] produces'2 b bc c) -> ([%#siter8] produces'2 a (Seq.(++) ab bc) c) + + function produces_refl'2 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + + axiom produces_refl'2_spec : forall self : t_B'0 . [%#siter5] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + + = + [%#szip2] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 + /\ Seq.length p2 = Seq.length visited + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) + /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + + constant self : t_Zip'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (self : t_Zip'0) : () + + goal vc_produces_refl'0 : [%#szip0] produces'0 self (Seq.empty : Seq.seq (t_Item'0, t_Item'1)) self +end +module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_trans [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (* as std::iter::Iterator> *) + let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32 + let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32 + let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42 + let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 58 4 58 10 + let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 + let%span szip5 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 + let%span szip6 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_A'0 + + type t_B'0 + + use prelude.prelude.UIntSize + + type t_Zip'0 = + { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + + type t_Item'0 + + type t_Item'1 + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a + /\ inv'2 b + end + + function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + + axiom itera'0_spec : forall self : t_Zip'0 . [%#szip5] inv'0 self -> inv'1 (itera'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + + + axiom produces_trans'1_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + + axiom produces_refl'0_spec : forall self : t_A'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + + axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip6] inv'0 self -> inv'2 (iterb'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + + + function produces_trans'2 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + + + axiom produces_trans'2_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter8] produces'2 a ab b) + -> ([%#siter9] produces'2 b bc c) -> ([%#siter10] produces'2 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + + axiom produces_refl'1_spec : forall self : t_B'0 . [%#siter7] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + + = + [%#szip4] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 + /\ Seq.length p2 = Seq.length visited + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) + /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + + use seq.Seq + + constant a : t_Zip'0 + + constant ab : Seq.seq (t_Item'0, t_Item'1) + + constant b : t_Zip'0 + + constant bc : Seq.seq (t_Item'0, t_Item'1) + + constant c : t_Zip'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (a : t_Zip'0) (ab : Seq.seq (t_Item'0, t_Item'1)) (b : t_Zip'0) (bc : Seq.seq (t_Item'0, t_Item'1)) (c : t_Zip'0) : () + + + goal vc_produces_trans'0 : ([%#szip1] produces'0 b bc c) + -> ([%#szip0] produces'0 a ab b) -> ([%#szip2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_refl [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (* <&mut I as std::iter::Iterator> *) + let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 222 14 222 45 + let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 220 4 220 10 + let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 + let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_I'0 + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter4] produces'1 a ab b) + -> ([%#siter5] produces'1 b bc c) -> ([%#siter6] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter3] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + + = + [%#siter2] produces'1 self.current visited o.current /\ self.final = o.final + + constant self : borrowed t_I'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (self : borrowed t_I'0) : () + + goal vc_produces_refl'0 : [%#siter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_trans [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (* <&mut I as std::iter::Iterator> *) + let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 227 15 227 32 + let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 228 15 228 32 + let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 229 14 229 42 + let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 225 4 225 10 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use prelude.prelude.Borrow + + type t_I'0 + + type t_Item'0 + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + + = + [%#siter4] produces'1 self.current visited o.current /\ self.final = o.final + + constant a : borrowed t_I'0 + + constant ab : Seq.seq t_Item'0 + + constant b : borrowed t_I'0 + + constant bc : Seq.seq t_Item'0 + + constant c : borrowed t_I'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (a : borrowed t_I'0) (ab : Seq.seq t_Item'0) (b : borrowed t_I'0) (bc : Seq.seq t_Item'0) (c : borrowed t_I'0) : () + + + goal vc_produces_trans'0 : ([%#siter1] produces'0 b bc c) + -> ([%#siter0] produces'0 a ab b) -> ([%#siter2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_unwrap_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 103 16 105 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 103 43 103 44 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 103 52 103 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 99 26 102 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'1 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_T'0)-> {inv'2 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_unwrap_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- t ] s4 + | s4 = bb8 ] + + | bb8 = bb9 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb9 + | bb9 = bb10 + | bb10 = bb11 + | bb11 = return' {_0} ] + ) + [ & _0 : t_T'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & _7 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body result type invariant] [%#soption2] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> postcondition_once'0 f () result + | C_Some'0 t -> result = t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_body [#"../../../creusot-contracts/src/std/option.rs" 131 16 133 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 131 35 131 36 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 123 27 126 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 131 44 131 53 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 127 26 130 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'1 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + type t_Option'0 = + | C_None'1 + | C_Some'1 t_U'0 + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'5 a_0 + end + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_map_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_map_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_9 <- (t) ] s2 + | s2 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_7 <- _ret' ] s3) + | s3 = bb7 ] + + | bb7 = bb8 + | bb8 = s0 [ s0 = [ &_0 <- C_Some'1 _7 ] s1 | s1 = bb9 ] + | bb9 = bb10 + | bb10 = bb11 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb11 ] + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'1 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _7 : t_U'0 = any_l () + | & _9 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_map_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'1 + | C_Some'0 t -> exists r : t_U'0 . result = C_Some'1 r /\ postcondition_once'0 f (t) r + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_inspect_body [#"../../../creusot-contracts/src/std/option.rs" 149 16 151 33] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 149 36 149 37 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 140 27 143 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 149 45 149 54 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 145 26 148 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant6] inv'4 self + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : ()) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:()))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'2 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any [ return' (result:())-> {inv'3 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_inspect_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = any [ br0 -> {self_ = C_None'0 } (! bb5) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb6) ] + | bb6 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_12 <- t ] s2 + | s2 = [ &_10 <- (_12) ] s3 + | s3 = call_once'0 {f} {_10} (fun (_ret':()) -> [ &_8 <- _ret' ] s4) + | s4 = bb8 ] + + | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] + | bb9 = bb10 + | bb10 = bb11 + | bb5 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb7 ] + | bb7 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb11 ] + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _8 : () = any_l () + | & _10 : t_T'0 = any_l () + | & _12 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_inspect_body result type invariant] [%#soption3] inv'1 result} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #0] [%#soption0] result = self_} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #1] [%#soption4] match self_ with + | C_None'0 -> true + | C_Some'0 t -> postcondition_once'0 f (t) () + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_body [#"../../../creusot-contracts/src/std/option.rs" 166 16 168 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 166 38 166 45 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 166 50 166 51 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 158 27 161 17 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 166 59 166 60 + let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 162 26 165 17 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_U'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_U'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops6] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'0 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_or_body'0 (self_:t_Option'0) (default:t_U'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'default' type invariant] [%#soption1] inv'0 default} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'f' type invariant] [%#soption2] inv'1 f} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body requires] [%#soption3] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 default} s1 + | s1 = -{resolve'0 default}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_9 <- (t) ] s4 + | s4 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) + | s5 = bb7 ] + + | bb7 = bb8 + | bb8 = bb9 + | bb9 = bb10 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- default ] s1 | s1 = bb10 ] + | bb10 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_U'0 = any_l () + | & self_ : t_Option'0 = self_ + | & default : t_U'0 = default + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _9 : t_T'0 = any_l () ] + + [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_body result type invariant] [%#soption4] inv'0 result} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body ensures] [%#soption5] match self_ with + | C_None'0 -> result = default + | C_Some'0 t -> postcondition_once'0 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 183 16 186 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 183 46 183 53 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 183 58 183 59 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 175 27 178 17 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 183 67 183 68 + let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 179 26 182 17 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_D'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_D'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_D'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = (let (x0) = x in inv'6 x0) + + predicate precondition'1 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate postcondition_once'1 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'4 args} + {[@expl:call_once requires] [%#sops6] precondition'1 self args} + any + [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'1 self args result} (! return' {result}) ] + + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_D'0) (args : ()) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_D'0) (args : ()) (result : t_U'0) + + + let rec call_once'1 (self:t_D'0) (args:()) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops6] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'6 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_or_else_body'0 (self_:t_Option'0) (default:t_D'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'default' type invariant] [%#soption1] inv'0 default} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'f' type invariant] [%#soption2] inv'1 f} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body requires] [%#soption3] match self_ with + | C_None'0 -> precondition'0 default () + | C_Some'0 t -> precondition'1 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 default} s1 + | s1 = -{resolve'0 default}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_11 <- (t) ] s4 + | s4 = call_once'0 {f} {_11} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) + | s5 = bb8 ] + + | bb8 = bb9 + | bb9 = bb10 + | bb10 = bb11 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = call_once'1 {default} {_8} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = bb14 + | bb14 = return' {_0} ] + ) + [ & _0 : t_U'0 = any_l () + | & self_ : t_Option'0 = self_ + | & default : t_D'0 = default + | & f : t_F'0 = f + | & _8 : () = any_l () + | & t : t_T'0 = any_l () + | & _11 : t_T'0 = any_l () ] + + [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body result type invariant] [%#soption4] inv'3 result} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body ensures] [%#soption5] match self_ with + | C_None'0 -> postcondition_once'0 default () result + | C_Some'0 t -> postcondition_once'1 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_ok_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 204 16 206 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 204 42 204 45 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 204 53 204 65 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 200 26 203 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_E'0 + + type t_Result'0 = + | C_Ok'0 t_T'0 + | C_Err'0 t_E'0 + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_E'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_E'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_E'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_E'0)-> {inv'4 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'5 a_0 + end + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Result'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Result'0 [inv'2 x] . inv'2 x + = match x with + | C_Ok'0 a_0 -> inv'5 a_0 + | C_Err'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_ok_or_else_body'0 (self_:t_Option'0) (err:t_F'0) (return' (ret:t_Result'0))= {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'err' type invariant] [%#soption1] inv'0 err} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 err ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 err} s1 + | s1 = -{resolve'0 err}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- C_Ok'0 t ] s4 + | s4 = bb9 ] + + | bb9 = bb10 + | bb10 = bb11 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {err} {_8} (fun (_ret':t_E'0) -> [ &_6 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = s0 [ s0 = [ &_0 <- C_Err'0 _6 ] s1 | s1 = bb8 ] + | bb8 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Result'0 = any_l () + | & self_ : t_Option'0 = self_ + | & err : t_F'0 = err + | & _6 : t_E'0 = any_l () + | & _8 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_Result'0)-> {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body result type invariant] [%#soption2] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> exists r : t_E'0 . result = C_Err'0 r /\ postcondition_once'0 err () r + | C_Some'0 t -> result = C_Ok'0 t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_and_then_body [#"../../../creusot-contracts/src/std/option.rs" 234 16 236 45] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 234 40 234 41 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 226 27 229 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 234 49 234 58 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 230 26 233 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'1 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + type t_Option'0 = + | C_None'1 + | C_Some'1 t_U'0 + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'5 a_0 + end + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_Option'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_Option'0)-> {inv'2 result} + {[%#sops5] postcondition_once'0 self args result} + (! return' {result}) ] + + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_and_then_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_8 <- (t) ] s2 + | s2 = call_once'0 {f} {_8} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s3) + | s3 = bb7 ] + + | bb7 = bb8 + | bb8 = bb9 + | bb9 = bb10 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb10 ] + | bb10 = bb11 + | bb11 = bb12 + | bb12 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'1 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _8 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_and_then_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'1 + | C_Some'0 t -> postcondition_once'0 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_filter_body [#"../../../creusot-contracts/src/std/option.rs" 254 16 256 41] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 254 35 254 44 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 243 27 246 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 254 52 254 61 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 247 26 253 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_P'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + + use prelude.prelude.Borrow + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant6] inv'0 self + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : t_T'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + + axiom inv_axiom'2 [@rewrite] : forall x : bool [inv'4 x] . inv'4 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : t_T'0) (result : bool) + + + let rec call_once'0 (self:t_P'0) (args:t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:bool)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'0 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_filter_body'0 (self_:t_Option'0) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_filter_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_filter_body 'predicate' type invariant] [%#soption1] inv'1 predicate'} + {[@expl:extern_spec_std_option_T_Option_T_filter_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 predicate' (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_11 <- t ] s2 + | s2 = [ &_9 <- (_11) ] s3 + | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) + | s4 = bb7 ] + + | bb7 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] + | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] + | bb9 = bb12 + | bb10 = s0 [ s0 = {[@expl:type invariant] inv'0 t} s1 | s1 = -{resolve'0 t}- s2 | s2 = bb11 ] + | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] + | bb12 = bb13 + | bb13 = bb14 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 predicate'} s1 | s1 = -{resolve'1 predicate'}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb14 ] + | bb14 = bb15 + | bb15 = bb16 + | bb16 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & predicate' : t_P'0 = predicate' + | & t : t_T'0 = any_l () + | & _7 : bool = any_l () + | & _9 : t_T'0 = any_l () + | & _11 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_filter_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_filter_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'0 + | C_Some'0 t -> match result with + | C_None'0 -> postcondition_once'0 predicate' (t) false /\ resolve'0 t + | C_Some'0 r -> postcondition_once'0 predicate' (t) true /\ r = t + end + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 273 16 275 44] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 273 36 273 37 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 273 45 273 54 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 269 26 272 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'1 [@rewrite] : forall x : () [inv'2 x] . inv'2 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'3 a_0 + end + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_Option'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'2 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_Option'0)-> {inv'1 result} + {[%#sops4] postcondition_once'0 self args result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- C_Some'0 t ] s4 + | s4 = bb8 ] + + | bb8 = bb9 + | bb9 = bb10 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb10 + | bb10 = bb11 + | bb11 = bb12 + | bb12 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & _7 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_or_else_body result type invariant] [%#soption2] inv'1 result} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> postcondition_once'0 f () result + | C_Some'0 t -> result = C_Some'0 t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_get_or_insert_with_body [#"../../../creusot-contracts/src/std/option.rs" 311 16 313 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 311 52 311 53 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 306 27 306 63 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 311 61 311 67 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 307 26 310 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span soption6 = "../../../creusot-contracts/src/std/option.rs" 62 26 62 75 + let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 64 20 65 100 + let%span sresolve8 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sresolve9 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 + let%span sinvariant10 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant10] inv'1 self.current /\ inv'1 self.final + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + + predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve8] self.final = self.current + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'4 _1 + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'3 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_T'0)-> {inv'1 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'1 a_0 + end + + predicate resolve'7 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + + predicate resolve'5 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = + [%#sresolve9] match self with + | C_Some'0 x -> resolve'7 x + | C_None'0 -> true + end + + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Option'0) = + resolve'5 _1 + + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = + [%#sinvariant10] inv'3 self.current /\ inv'3 self.final + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + + axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'4 x] . inv'4 x = invariant'1 x + + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_T'0) + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'4 [@rewrite] : forall x : t_Option'1 [inv'6 x] . inv'6 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'2 a_0 + end + + let rec as_mut'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'1))= {[@expl:as_mut 'self' type invariant] inv'4 self} + any + [ return' (result:t_Option'1)-> {inv'6 result} + {[%#soption6] self.current = C_None'0 -> result = C_None'1 /\ self.final = C_None'0} + {[%#soption7] self.current = C_None'0 + \/ (exists r : borrowed t_T'0 . result = C_Some'1 r + /\ self.current = C_Some'0 (r.current) /\ self.final = C_Some'0 (r.final))} + (! return' {result}) ] + + + let rec unwrap'0 (self:t_Option'1) (return' (ret:borrowed t_T'0))= {[@expl:unwrap 'self' type invariant] inv'6 self} + {[@expl:unwrap requires] [%#soption0] self <> C_None'1} + any [ return' (result:borrowed t_T'0)-> {inv'2 result} {[%#soption0] C_Some'1 result = self} (! return' {result}) ] + + predicate resolve'6 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = + [%#sresolve8] self.final = self.current + + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = + resolve'6 _1 + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_get_or_insert_with_body'0 (self_:borrowed (t_Option'0)) (f:t_F'0) (return' (ret:borrowed t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'self_' type invariant] [%#soption0] inv'4 self_} + {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body requires] [%#soption2] self_.current = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_.current} + (fun (r0'0:t_T'0) -> + {inv'1 r0'0} + Borrow.borrow_final {r0'0} {Borrow.inherit_id (Borrow.get_id self_) 1} + (fun (_ret':borrowed t_T'0) -> + [ &t <- _ret' ] + -{inv'1 _ret'.final}- + [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] + s3)) + | s3 = {inv'1 t.current} + Borrow.borrow_final {t.current} {Borrow.get_id t} + (fun (_ret':borrowed t_T'0) -> + [ &_6 <- _ret' ] + -{inv'1 _ret'.final}- + [ &t <- { t with current = _ret'.final } ] + s4) + | s4 = {[@expl:type invariant] inv'2 t} s5 + | s5 = -{resolve'1 t}- s6 + | s6 = bb14 ] + + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_12} (fun (_ret':t_T'0) -> [ &_10 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = s0 [ s0 = [ &_9 <- C_Some'0 _10 ] s1 | s1 = bb8 ] + | bb8 = bb9 + | bb9 = s0 + [ s0 = {[@expl:type invariant] match self_ with + | {current = x'0} -> inv'3 x'0 + | _ -> true + end} + s1 + | s1 = -{match self_ with + | {current = x'1} -> resolve'2 x'1 + | _ -> true + end}- + s2 + | s2 = [ &self_ <- { self_ with current = _9 } ] s3 + | s3 = bb11 ] + + | bb11 = s0 + [ s0 = {inv'3 self_.current} + Borrow.borrow_final {self_.current} {Borrow.get_id self_} + (fun (_ret':borrowed (t_Option'0)) -> + [ &_15 <- _ret' ] + -{inv'3 _ret'.final}- + [ &self_ <- { self_ with current = _ret'.final } ] + s1) + | s1 = as_mut'0 {_15} (fun (_ret':t_Option'1) -> [ &_14 <- _ret' ] s2) + | s2 = bb12 ] + + | bb12 = s0 [ s0 = unwrap'0 {_14} (fun (_ret':borrowed t_T'0) -> [ &_13 <- _ret' ] s1) | s1 = bb13 ] + | bb13 = s0 + [ s0 = {inv'1 _13.current} + Borrow.borrow_final {_13.current} {Borrow.get_id _13} + (fun (_ret':borrowed t_T'0) -> + [ &_8 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_13 <- { _13 with current = _ret'.final } ] + s1) + | s1 = {inv'1 _8.current} + Borrow.borrow_final {_8.current} {Borrow.get_id _8} + (fun (_ret':borrowed t_T'0) -> + [ &_6 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_8 <- { _8 with current = _ret'.final } ] + s2) + | s2 = {[@expl:type invariant] inv'2 _13} s3 + | s3 = -{resolve'1 _13}- s4 + | s4 = {[@expl:type invariant] inv'2 _8} s5 + | s5 = -{resolve'1 _8}- s6 + | s6 = bb14 ] + + | bb14 = s0 + [ s0 = {inv'1 _6.current} + Borrow.borrow_final {_6.current} {Borrow.get_id _6} + (fun (_ret':borrowed t_T'0) -> + [ &_3 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_6 <- { _6 with current = _ret'.final } ] + s1) + | s1 = {inv'1 _3.current} + Borrow.borrow_final {_3.current} {Borrow.get_id _3} + (fun (_ret':borrowed t_T'0) -> + [ &_0 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_3 <- { _3 with current = _ret'.final } ] + s2) + | s2 = {[@expl:type invariant] inv'2 _6} s3 + | s3 = -{resolve'1 _6}- s4 + | s4 = {[@expl:type invariant] inv'2 _3} s5 + | s5 = -{resolve'1 _3}- s6 + | s6 = bb15 ] + + | bb15 = s0 [ s0 = {[@expl:type invariant] inv'4 self_} s1 | s1 = -{resolve'3 self_}- s2 | s2 = return' {_0} ] ] + ) + [ & _0 : borrowed t_T'0 = any_l () + | & self_ : borrowed (t_Option'0) = self_ + | & f : t_F'0 = f + | & _3 : borrowed t_T'0 = any_l () + | & _6 : borrowed t_T'0 = any_l () + | & _8 : borrowed t_T'0 = any_l () + | & _9 : t_Option'0 = any_l () + | & _10 : t_T'0 = any_l () + | & _12 : () = any_l () + | & _13 : borrowed t_T'0 = any_l () + | & _14 : t_Option'1 = any_l () + | & _15 : borrowed (t_Option'0) = any_l () + | & t : borrowed t_T'0 = any_l () ] + + [ return' (result:borrowed t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body ensures] [%#soption4] match self_.current with + | C_None'0 -> postcondition_once'0 f () result.current /\ self_.final = C_Some'0 (result.final) + | C_Some'0 _ -> self_.current = C_Some'0 (result.current) /\ self_.final = C_Some'0 (result.final) + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_take_if_body [#"../../../creusot-contracts/src/std/option.rs" 338 16 340 45] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 338 41 338 50 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 324 27 327 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 338 58 338 67 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 328 26 337 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 let%span sresolve6 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant7 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - type t_T'0 + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + use prelude.prelude.Borrow + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_P'0 + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant7] inv'0 self.current /\ inv'0 self.final + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'5 x] . inv'5 x = (let (x0) = x in inv'1 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : borrowed t_T'0) + + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + + axiom inv_axiom'4 [@rewrite] : forall x : bool [inv'6 x] . inv'6 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : borrowed t_T'0) (result : bool) + + + let rec call_once'0 (self:t_P'0) (args:borrowed t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'4 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:bool)-> {inv'6 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve6] self.final = self.current + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'3 _1 + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'0 a_0 + end + + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = + [%#sinvariant7] inv'2 self.current /\ inv'2 self.final + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + + axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'3 x] . inv'3 x = invariant'1 x + + let rec take'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'0))= {[@expl:take 'self' type invariant] inv'3 self} + any + [ return' (result:t_Option'0)-> {inv'2 result} + {[%#soption0] result = self.current /\ self.final = C_None'0} + (! return' {result}) ] + + + predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = + [%#sresolve6] self.final = self.current + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = + resolve'4 _1 + + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_take_if_body'0 (self_:borrowed (t_Option'0)) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'self_' type invariant] [%#soption0] inv'3 self_} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'predicate' type invariant] [%#soption1] inv'4 predicate'} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body requires] [%#soption2] match self_.current with + | C_None'0 -> true + | C_Some'0 t -> forall b : borrowed t_T'0 . inv'1 b /\ b.current = t -> precondition'0 predicate' (b) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_.current} + (fun (r0'0:t_T'0) -> + {inv'0 r0'0} + Borrow.borrow_mut {r0'0} + (fun (_ret':borrowed t_T'0) -> + [ &t <- _ret' ] + -{inv'0 _ret'.final}- + [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] + s1)) + | s1 = {inv'0 t.current} + Borrow.borrow_final {t.current} {Borrow.get_id t} + (fun (_ret':borrowed t_T'0) -> + [ &_10 <- _ret' ] + -{inv'0 _ret'.final}- + [ &t <- { t with current = _ret'.final } ] + s2) + | s2 = [ &_9 <- (_10) ] s3 + | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) + | s4 = bb7 ] + + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'1 t} s1 + | s1 = -{resolve'0 t}- s2 + | s2 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] ] + + | bb8 = s0 + [ s0 = {inv'2 self_.current} + Borrow.borrow_final {self_.current} {Borrow.get_id self_} + (fun (_ret':borrowed (t_Option'0)) -> + [ &_11 <- _ret' ] + -{inv'2 _ret'.final}- + [ &self_ <- { self_ with current = _ret'.final } ] + s1) + | s1 = take'0 {_11} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s2) + | s2 = bb9 ] + + | bb9 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb12 ] + | bb10 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb11 ] + | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] + | bb12 = bb13 + | bb4 = s0 + [ s0 = {[@expl:type invariant] inv'4 predicate'} s1 + | s1 = -{resolve'2 predicate'}- s2 + | s2 = {[@expl:type invariant] inv'3 self_} s3 + | s3 = -{resolve'1 self_}- s4 + | s4 = bb6 ] + + | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb13 ] + | bb13 = bb14 + | bb14 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : borrowed (t_Option'0) = self_ + | & predicate' : t_P'0 = predicate' + | & t : borrowed t_T'0 = any_l () + | & _7 : bool = any_l () + | & _9 : borrowed t_T'0 = any_l () + | & _10 : borrowed t_T'0 = any_l () + | & _11 : borrowed (t_Option'0) = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_take_if_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body ensures] [%#soption4] match self_.current with + | C_None'0 -> result = C_None'0 /\ self_.final = C_None'0 + | C_Some'0 cur -> exists b : borrowed t_T'0, res : bool . inv'1 b + /\ cur = b.current + /\ postcondition_once'0 predicate' (b) res + /\ (if res then + self_.final = C_None'0 /\ result = C_Some'0 (b.final) + else + self_.final = C_Some'0 (b.final) /\ result = C_None'0 + ) + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Greater'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Less'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Less'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Greater'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption2] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : t_Option'0) : () + + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption4] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + constant z : t_Option'0 + + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : t_Option'0) (y : t_Option'0) (z : t_Option'0) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Borrow + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_P'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant7] inv'0 self.current /\ inv'0 self.final + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'5 x] . inv'5 x = (let (x0) = x in inv'1 x0) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : borrowed t_T'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + = + [%#soption2] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + constant x : t_Option'0 - axiom inv_axiom'4 [@rewrite] : forall x : bool [inv'6 x] . inv'6 x = true + constant y : t_Option'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : borrowed t_T'0) (result : bool) - + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : t_Option'0) (y : t_Option'0) : () - let rec call_once'0 (self:t_P'0) (args:borrowed t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'4 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:bool)-> {inv'6 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 476 14 476 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 474 4 474 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve6] self.final = self.current + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'3 _1 + type t_T'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'0 a_0 - end + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = - [%#sinvariant7] inv'2 self.current /\ inv'2 self.final + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'3 x] . inv'3 x = invariant'1 x + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 - let rec take'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'0))= {[@expl:take 'self' type invariant] inv'3 self} - any - [ return' (result:t_Option'0)-> {inv'2 result} - {[%#soption0] result = self.current /\ self.final = C_None'0} - (! return' {result}) ] + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = - [%#sresolve6] self.final = self.current + constant self : t_IntoIter'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = - resolve'4 _1 + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (self : t_IntoIter'0) : () - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 481 15 481 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 482 15 482 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 483 14 483 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 479 4 479 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 - use prelude.prelude.Intrinsic + type t_T'0 - meta "compute_max_steps" 1000000 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - let rec extern_spec_std_option_T_Option_T_take_if_body'0 (self_:borrowed (t_Option'0)) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'self_' type invariant] [%#soption0] inv'3 self_} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'predicate' type invariant] [%#soption1] inv'4 predicate'} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body requires] [%#soption2] match self_.current with - | C_None'0 -> true - | C_Some'0 t -> forall b : borrowed t_T'0 . inv'1 b /\ b.current = t -> precondition'0 predicate' (b) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_.current} - (fun (r0'0:t_T'0) -> - {inv'0 r0'0} - Borrow.borrow_mut {r0'0} - (fun (_ret':borrowed t_T'0) -> - [ &t <- _ret' ] - -{inv'0 _ret'.final}- - [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] - s1)) - | s1 = {inv'0 t.current} - Borrow.borrow_final {t.current} {Borrow.get_id t} - (fun (_ret':borrowed t_T'0) -> - [ &_10 <- _ret' ] - -{inv'0 _ret'.final}- - [ &t <- { t with current = _ret'.final } ] - s2) - | s2 = [ &_9 <- (_10) ] s3 - | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) - | s4 = bb7 ] - - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'1 t} s1 - | s1 = -{resolve'0 t}- s2 - | s2 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] ] - - | bb8 = s0 - [ s0 = {inv'2 self_.current} - Borrow.borrow_final {self_.current} {Borrow.get_id self_} - (fun (_ret':borrowed (t_Option'0)) -> - [ &_11 <- _ret' ] - -{inv'2 _ret'.final}- - [ &self_ <- { self_ with current = _ret'.final } ] - s1) - | s1 = take'0 {_11} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s2) - | s2 = bb9 ] - - | bb9 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb12 ] - | bb10 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb11 ] - | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] - | bb12 = bb13 - | bb4 = s0 - [ s0 = {[@expl:type invariant] inv'4 predicate'} s1 - | s1 = -{resolve'2 predicate'}- s2 - | s2 = {[@expl:type invariant] inv'3 self_} s3 - | s3 = -{resolve'1 self_}- s4 - | s4 = bb6 ] - - | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb13 ] - | bb13 = bb14 - | bb14 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : borrowed (t_Option'0) = self_ - | & predicate' : t_P'0 = predicate' - | & t : borrowed t_T'0 = any_l () - | & _7 : bool = any_l () - | & _9 : borrowed t_T'0 = any_l () - | & _10 : borrowed t_T'0 = any_l () - | & _11 : borrowed (t_Option'0) = any_l () ] + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_take_if_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body ensures] [%#soption4] match self_.current with - | C_None'0 -> result = C_None'0 /\ self_.final = C_None'0 - | C_Some'0 cur -> exists b : borrowed t_T'0, res : bool . inv'1 b - /\ cur = b.current - /\ postcondition_once'0 predicate' (b) res - /\ (if res then - self_.final = C_None'0 /\ result = C_Some'0 (b.final) - else - self_.final = C_Some'0 (b.final) /\ result = C_None'0 - ) - end} - (! return' {result}) ] + = + [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + use seq.Seq + + constant a : t_IntoIter'0 + + constant ab : Seq.seq t_T'0 + + constant b : t_IntoIter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 529 14 529 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 527 4 527 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + + use seq.Seq + + use prelude.prelude.Borrow type t_T'0 + use seq.Seq + type t_Option'0 = | C_None'0 | C_Some'0 t_T'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + type t_Iter'0 = + { t_Iter__inner'0: t_Item'0 } + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant self : t_Iter'0 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (self : t_Iter'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 534 15 534 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 535 15 535 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 536 14 536 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 532 4 532 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Borrow - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_Iter'0 = + { t_Iter__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant a : t_Iter'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + constant ab : Seq.seq t_T'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + constant b : t_Iter'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + constant bc : Seq.seq t_T'0 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + constant c : t_Iter'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 585 14 585 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 583 4 583 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use seq.Seq - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Borrow - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_T'0) - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + type t_IterMut'0 = + { t_IterMut__inner'0: t_Item'0 } - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - - = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Option'0) (o : t_Option'0) : bool + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) = - [%#sord2] cmp_log'0 self o <> C_Greater'0 - - constant x : t_Option'0 + [%#soption2] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o + \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - constant y : t_Option'0 + constant self : t_IterMut'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : t_Option'0) (y : t_Option'0) : () - + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (self : t_IterMut'0) : () - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 590 15 590 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 591 15 591 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 592 14 592 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 588 4 588 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + + use prelude.prelude.Borrow type t_T'0 type t_Option'0 = | C_None'0 - | C_Some'0 t_T'0 + | C_Some'0 (borrowed t_T'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + type t_IterMut'0 = + { t_IterMut__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + = + [%#soption4] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o + \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant a : t_IterMut'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + constant ab : Seq.seq (borrowed t_T'0) - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + constant b : t_IterMut'0 + + constant bc : Seq.seq (borrowed t_T'0) + + constant c : t_IterMut'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () + + + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__ptr__qyi17063894948818224584__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (* <*const T as std::ptr::PointerExt> *) + let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + + use prelude.prelude.Opaque + + use prelude.prelude.Int + + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + + constant self : opaque_ptr + + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool + + goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) +end +module M_creusot_contracts__stdqy35z1__ptr__qyi4877913266695965320__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (* <*mut T as std::ptr::PointerExt> *) + let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 96 14 96 48 + let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 98 8 98 30 + + use prelude.prelude.Opaque + + use prelude.prelude.Int + + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 90 4 90 30] (self : opaque_ptr) : int + + constant self : opaque_ptr + + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (self : opaque_ptr) : bool + + goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) +end +module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 411 14 411 45 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 409 4 409 10 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Iter'0 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Slice - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.UIntSize - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + constant v_MAX'0 : usize = (18446744073709551615 : usize) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Int - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Slice - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice8] view'2 self = Slice.id self) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel5] view'2 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sindex6] Seq.get (view'2 self) ix - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Option'0) (o : t_Option'0) : bool - - = - [%#sord2] cmp_log'0 self o = C_Less'0 + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - constant x : t_Option'0 + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - constant y : t_Option'0 + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : t_Option'0) (y : t_Option'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + = + [%#sslice2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant self : t_Iter'0 - type t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (self : t_Iter'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 416 15 416 32 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 417 15 417 32 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 418 14 418 42 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 414 4 414 10 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use prelude.prelude.Opaque - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_Iter'0 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use prelude.prelude.Borrow - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Slice - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.UIntSize - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + constant v_MAX'0 : usize = (18446744073709551615 : usize) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Int - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Slice - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice10] view'2 self = Slice.id self) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel7] view'2 self - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex8] Seq.get (view'2 self) ix - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - - = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Option'0) (o : t_Option'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#sord2] cmp_log'0 self o <> C_Less'0 + [%#sslice4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant x : t_Option'0 + constant a : t_Iter'0 - constant y : t_Option'0 + constant ab : Seq.seq t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : t_Option'0) (y : t_Option'0) : () - + constant b : t_Iter'0 - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant bc : Seq.seq t_T'0 - type t_T'0 + constant c : t_Iter'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) + -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 465 14 465 45 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 463 4 463 10 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + let%span smodel8 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sindex9 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_T'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Opaque - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_IterMut'0 = + { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.UIntSize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.UIntSize - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Slice - axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Slice - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice6] Seq.length (view'1 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice7] view'1 self = Slice.id self) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice3] Seq.length (view'1 (view'0 self).final) + = Seq.length (view'1 (view'0 self).current) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + + = + [%#smodel8] view'1 self.current - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sindex9] Seq.get (view'1 self) ix - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Option'0) (o : t_Option'0) : bool + function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - = - [%#sord2] cmp_log'0 self o = C_Greater'0 - constant x : t_Option'0 + axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice4] Seq.length (to_mut_seq'0 self) + = Seq.length (view'2 self)) + && ([%#sslice5] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) + -> Seq.get (to_mut_seq'0 self) i + = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) - constant y : t_Option'0 + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : t_Option'0) (y : t_Option'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + = + [%#sslice2] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) + constant self : t_IterMut'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (self : t_IterMut'0) : () + + goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 470 15 470 32 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 471 15 471 32 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 472 14 472 42 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 468 4 468 10 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + let%span smodel10 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sindex11 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - type t_T'0 + use prelude.prelude.Opaque - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_IterMut'0 = + { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Borrow - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.UIntSize - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.Int - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use prelude.prelude.Slice - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Slice - axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice8] Seq.length (view'1 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice9] view'1 self = Slice.id self) - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice5] Seq.length (view'1 (view'0 self).final) + = Seq.length (view'1 (view'0 self).current) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + + = + [%#smodel10] view'1 self.current - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex11] Seq.get (view'1 self) ix - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice6] Seq.length (to_mut_seq'0 self) + = Seq.length (view'2 self)) + && ([%#sslice7] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) + -> Seq.get (to_mut_seq'0 self) i + = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) = - [%#soption2] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end - - constant x : t_Option'0 + [%#sslice4] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : t_Option'0) : () + constant a : t_IterMut'0 - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant ab : Seq.seq (borrowed t_T'0) - type t_T'0 + constant b : t_IterMut'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + constant bc : Seq.seq (borrowed t_T'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + constant c : t_IterMut'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) + -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_refl [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (* as std::iter::Iterator> *) + let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 270 14 270 45 + let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 268 4 268 10 + let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 + + use seq.Seq + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + use prelude.prelude.UIntSize - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + type t_A'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_A'0 } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + type t_IntoIter'0 = + { t_IntoIter__buf'0: t_NonNull'0; + t_IntoIter__phantom'0: (); + t_IntoIter__cap'0: usize; + t_IntoIter__alloc'0: t_ManuallyDrop'0; + t_IntoIter__ptr'0: t_NonNull'0; + t_IntoIter__end'0: opaque_ptr } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + + = + [%#svec2] view'0 self = Seq.(++) visited (view'0 rhs) - axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + constant self : t_IntoIter'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (self : t_IntoIter'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_refl'0 : [%#svec0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_trans [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (* as std::iter::Iterator> *) + let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 275 15 275 32 + let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 276 15 276 32 + let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 277 14 277 42 + let%span svec3 = "../../../creusot-contracts/src/std/vec.rs" 273 4 273 10 + let%span svec4 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Opaque - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_A'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_A'0 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_IntoIter'0 = + { t_IntoIter__buf'0: t_NonNull'0; + t_IntoIter__phantom'0: (); + t_IntoIter__cap'0: usize; + t_IntoIter__alloc'0: t_ManuallyDrop'0; + t_IntoIter__ptr'0: t_NonNull'0; + t_IntoIter__end'0: opaque_ptr } - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_T'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) = - [%#soption4] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#svec4] view'0 self = Seq.(++) visited (view'0 rhs) - constant x : t_Option'0 + constant a : t_IntoIter'0 - constant y : t_Option'0 + constant ab : Seq.seq t_T'0 - constant z : t_Option'0 + constant b : t_IntoIter'0 - constant o : t_Ordering'0 + constant bc : Seq.seq t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : t_Option'0) (y : t_Option'0) (z : t_Option'0) (o : t_Ordering'0) : () + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) + goal vc_produces_trans'0 : ([%#svec1] produces'0 b bc c) + -> ([%#svec0] produces'0 a ab b) -> ([%#svec2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_T'0 + use prelude.prelude.Real - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : Real.real - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : Real.real) (y : Real.real) : () + - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + goal vc_cmp_le_log'0 : [%#sord0] Real.(<=) x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Real - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + constant x : Real.real - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant y : Real.real - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : Real.real) (y : Real.real) : () + - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_cmp_lt_log'0 : [%#sord0] Real.(<) x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Real - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + constant x : Real.real - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + constant y : Real.real - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : Real.real) (y : Real.real) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_cmp_ge_log'0 : [%#sord0] Real.(>=) x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use prelude.prelude.Real - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : t_Option'0 + constant x : Real.real - constant y : t_Option'0 + constant y : Real.real - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : t_Option'0) (y : t_Option'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : Real.real) (y : Real.real) : () - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) + goal vc_cmp_gt_log'0 : [%#sord0] Real.(>) x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 - - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 +module M_creusot_contracts__num_rational__qyi7156484438548626841__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : Real.real) : () - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span snum_rational4 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Real - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Real - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational4] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + constant x : Real.real - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant y : Real.real - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + constant z : Real.real - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + constant o : t_Ordering'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : Real.real) (y : Real.real) (z : Real.real) (o : t_Ordering'0) : () + - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Real - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Real - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + constant y : Real.real - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : Real.real) (y : Real.real) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use prelude.prelude.Real - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : t_Option'0 + constant x : Real.real - constant y : t_Option'0 + constant y : Real.real - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : t_Option'0) (y : t_Option'0) : () - + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : Real.real) (y : Real.real) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* as logic::ord::OrdLogic> *) +module M_creusot_contracts__num_rational__qyi7156484438548626841__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : Real.real - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : Real.real) (y : Real.real) : () - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__ghost__qyi17645547594388049322__clone [#"../../../creusot-contracts/src/ghost.rs" 50 4 50 27] (* as std::clone::Clone> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 50 14 50 18 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 50 23 50 27 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 49 14 49 29 + let%span sclone3 = "../../../creusot-contracts/src/std/clone.rs" 7 0 20 1 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.Borrow - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'4 self - axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'2 x - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant4] inv'3 self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + let rec clone'1 (self:t_T'0) (return' (ret:t_T'0))= {[@expl:clone 'self' type invariant] inv'2 self} + any [ return' (result:t_T'0)-> {inv'3 result} {[%#sclone3] result = self} (! return' {result}) ] - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Intrinsic - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'3 a_0 + end - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = + [%#sinvariant4] inv'1 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + meta "compute_max_steps" 1000000 - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + let rec clone'0 (self:t_GhostBox'0) (return' (ret:t_GhostBox'0))= {[@expl:clone 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 [ s0 = clone'1 {self.t_GhostBox__0'0} (fun (_ret':t_T'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = _3 } ] s1 | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'0 = self | & _3 : t_T'0 = any_l () ] + [ return' (result:t_GhostBox'0)-> {[@expl:clone result type invariant] [%#sghost1] inv'1 result} + {[@expl:clone ensures] [%#sghost2] result = self} + (! return' {result}) ] - = - [%#soption2] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end +end +module M_creusot_contracts__ghost__qyi1862168959261460300__deref [#"../../../creusot-contracts/src/ghost.rs" 69 4 69 36] (* as std::ops::Deref> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 69 23 69 36 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 + let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + + type t_T'0 + + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } + + use prelude.prelude.Borrow + + use prelude.prelude.Intrinsic + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'3 self + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'2 x] . inv'2 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = + [%#sinvariant3] inv'2 self + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant x : t_Option'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x - constant y : t_Option'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant3] inv'3 self - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : t_Option'0) (y : t_Option'0) : () + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'1 x + + meta "compute_max_steps" 1000000 + + let rec deref'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:deref 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 + [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 + | s1 = [ &_4 <- _5 ] s2 + | s2 = [ &_2 <- _4 ] s3 + | s3 = [ &_0 <- _2 ] s4 + | s4 = return' {_0} ] + ] + ) + [ & _0 : t_T'0 = any_l () + | & self : t_GhostBox'0 = self + | & _2 : t_T'0 = any_l () + | & _4 : t_T'0 = any_l () + | & _5 : t_T'0 = any_l () ] + + [ return' (result:t_T'0)-> {[@expl:deref result type invariant] [%#sghost1] inv'1 result} + {[@expl:deref ensures] [%#sghost2] self.t_GhostBox__0'0 = result} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 476 14 476 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 474 4 474 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 +module M_creusot_contracts__ghost__qyi17214052996668775070__deref_mut [#"../../../creusot-contracts/src/ghost.rs" 85 4 85 48] (* as std::ops::DerefMut> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 85 22 85 26 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 85 31 85 48 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 84 14 84 36 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use seq.Seq + use prelude.prelude.Borrow type t_T'0 - use seq.Seq + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant4] inv'0 self.current /\ inv'0 self.final - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - use seq.Seq + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'2 _1 - constant self : t_IntoIter'0 + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'0 self - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (self : t_IntoIter'0) : () + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 481 15 481 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 482 15 482 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 483 14 483 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 479 4 479 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - type t_T'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'0)) = + [%#sinvariant4] inv'3 self.current /\ inv'3 self.final - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'0)) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'0) [inv'2 x] . inv'2 x = invariant'1 x - use seq.Seq + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'0)) = + [%#sresolve3] self.final = self.current - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'0)) = + resolve'3 _1 - use seq.Seq + use prelude.prelude.Intrinsic - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + meta "compute_max_steps" 1000000 + + let rec deref_mut'0 (self:borrowed (t_GhostBox'0)) (return' (ret:borrowed t_T'0))= {[@expl:deref_mut 'self' type invariant] [%#sghost0] inv'2 self} + (! bb0 + [ bb0 = s0 + [ s0 = {inv'0 (self.current).t_GhostBox__0'0} + Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_T'0) -> + [ &_5 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] + s1) + | s1 = {inv'0 _5.current} + Borrow.borrow_final {_5.current} {Borrow.get_id _5} + (fun (_ret':borrowed t_T'0) -> + [ &_4 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_5 <- { _5 with current = _ret'.final } ] + s2) + | s2 = {inv'0 _4.current} + Borrow.borrow_final {_4.current} {Borrow.get_id _4} + (fun (_ret':borrowed t_T'0) -> + [ &_2 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_4 <- { _4 with current = _ret'.final } ] + s3) + | s3 = {inv'0 _2.current} + Borrow.borrow_final {_2.current} {Borrow.get_id _2} + (fun (_ret':borrowed t_T'0) -> + [ &_0 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_2 <- { _2 with current = _ret'.final } ] + s4) + | s4 = {[@expl:type invariant] inv'1 _5} s5 + | s5 = -{resolve'0 _5}- s6 + | s6 = {[@expl:type invariant] inv'1 _4} s7 + | s7 = -{resolve'0 _4}- s8 + | s8 = {[@expl:type invariant] inv'1 _2} s9 + | s9 = -{resolve'0 _2}- s10 + | s10 = {[@expl:type invariant] inv'2 self} s11 + | s11 = -{resolve'1 self}- s12 + | s12 = return' {_0} ] + ] + ) + [ & _0 : borrowed t_T'0 = any_l () + | & self : borrowed (t_GhostBox'0) = self + | & _2 : borrowed t_T'0 = any_l () + | & _4 : borrowed t_T'0 = any_l () + | & _5 : borrowed t_T'0 = any_l () ] - = - [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + [ return' (result:borrowed t_T'0)-> {[@expl:deref_mut result type invariant] [%#sghost1] inv'1 result} + {[@expl:deref_mut ensures] [%#sghost2] result + = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi2175792468772189056__borrow [#"../../../creusot-contracts/src/ghost.rs" 124 4 124 40] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 124 19 124 23 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 124 28 124 40 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 123 14 123 35 + let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use seq.Seq + type t_T'0 - constant a : t_IntoIter'0 + type t_GhostBox'1 = + { t_GhostBox__0'0: t_T'0 } - constant ab : Seq.seq t_T'0 + use prelude.prelude.Borrow - constant b : t_IntoIter'0 + type t_GhostBox'0 = + { t_GhostBox__0'1: t_T'0 } - constant bc : Seq.seq t_T'0 + use prelude.prelude.Intrinsic - constant c : t_IntoIter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'6 self - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 529 14 529 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 527 4 527 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'4 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - use prelude.prelude.Borrow + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - type t_T'0 + axiom inv_axiom'3 [@rewrite] : forall x : t_GhostBox'1 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'1) = + [%#sinvariant3] inv'3 self - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'1 [inv'0 x] . inv'0 x = invariant'0 x - type t_Iter'0 = - { t_Iter__inner'0: t_Item'0 } + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant3] inv'6 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'3 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) - - = - [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'5 self - constant self : t_Iter'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (self : t_Iter'0) : () + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'1 = a_0} -> inv'2 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec borrow'0 (self:t_GhostBox'1) (return' (ret:t_GhostBox'0))= {[@expl:borrow 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _5 } ] s1 | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'1 = self | & _5 : t_T'0 = any_l () ] + [ return' (result:t_GhostBox'0)-> {[@expl:borrow result type invariant] [%#sghost1] inv'1 result} + {[@expl:borrow ensures] [%#sghost2] result.t_GhostBox__0'1 = self.t_GhostBox__0'0} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 534 15 534 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 535 15 535 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 536 14 536 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 532 4 532 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 +module M_creusot_contracts__ghost__qyi2175792468772189056__borrow_mut [#"../../../creusot-contracts/src/ghost.rs" 138 4 138 52] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 138 27 138 31 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 138 36 138 52 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 137 14 137 39 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + type t_GhostBox'1 = + { t_GhostBox__0'0: t_T'0 } - type t_Iter'0 = - { t_Iter__inner'0: t_Item'0 } + type t_GhostBox'0 = + { t_GhostBox__0'1: borrowed t_T'0 } - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant4] inv'0 self.current /\ inv'0 self.final - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - use seq.Seq + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'2 _1 - use seq.Seq + predicate invariant'3 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'0 self - constant a : t_Iter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - constant ab : Seq.seq t_T'0 + axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'6 x] . inv'6 x = invariant'3 x - constant b : t_Iter'0 + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - constant bc : Seq.seq t_T'0 + axiom inv_axiom'4 [@rewrite] : forall x : t_GhostBox'1 [inv'5 x] . inv'5 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'6 a_0 + end - constant c : t_Iter'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'1)) = + [%#sinvariant4] inv'5 self.current /\ inv'5 self.final - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'1)) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 585 14 585 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 583 4 583 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'1) [inv'2 x] . inv'2 x = invariant'1 x - use seq.Seq + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'1)) = + [%#sresolve3] self.final = self.current - use prelude.prelude.Borrow + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'1)) = + resolve'3 _1 - type t_T'0 + use prelude.prelude.Intrinsic - use seq.Seq + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : borrowed t_T'0) = + [%#sboxed5] inv'1 self - type t_Option'0 = - | C_None'0 - | C_Some'0 (borrowed t_T'0) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - type t_IterMut'0 = - { t_IterMut__inner'0: t_Item'0 } + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'1 = a_0} -> inv'4 a_0 + end - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + let rec borrow_mut'0 (self:borrowed (t_GhostBox'1)) (return' (ret:t_GhostBox'0))= {[@expl:borrow_mut 'self' type invariant] [%#sghost0] inv'2 self} + (! bb0 + [ bb0 = s0 + [ s0 = {inv'0 (self.current).t_GhostBox__0'0} + Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_T'0) -> + [ &_5 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] + s1) + | s1 = {inv'0 _5.current} + Borrow.borrow_final {_5.current} {Borrow.get_id _5} + (fun (_ret':borrowed t_T'0) -> + [ &_4 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_5 <- { _5 with current = _ret'.final } ] + s2) + | s2 = bb1 ] + + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _4 } ] s1 | s1 = bb2 ] + | bb2 = s0 + [ s0 = {[@expl:type invariant] inv'1 _5} s1 + | s1 = -{resolve'0 _5}- s2 + | s2 = {[@expl:type invariant] inv'2 self} s3 + | s3 = -{resolve'1 self}- s4 + | s4 = return' {_0} ] + ] + ) + [ & _0 : t_GhostBox'0 = any_l () + | & self : borrowed (t_GhostBox'1) = self + | & _4 : borrowed t_T'0 = any_l () + | & _5 : borrowed t_T'0 = any_l () ] + + [ return' (result:t_GhostBox'0)-> {[@expl:borrow_mut result type invariant] [%#sghost1] inv'3 result} + {[@expl:borrow_mut ensures] [%#sghost2] result.t_GhostBox__0'1 + = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} + (! return' {result}) ] - = - [%#soption2] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o - \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - - constant self : t_IterMut'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (self : t_IterMut'0) : () - - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 590 15 590 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 591 15 591 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 592 14 592 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 588 4 588 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 - - use prelude.prelude.Borrow +module M_creusot_contracts__ghost__qyi2175792468772189056__conjure [#"../../../creusot-contracts/src/ghost.rs" 155 4 155 28] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 154 15 154 20 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 155 24 155 28 + let%span sboxed2 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 (borrowed t_T'0) - - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } - - type t_IterMut'0 = - { t_IterMut__inner'0: t_Item'0 } + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - use seq.Seq + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed2] inv'2 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o - \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'1 a_0 + end - constant a : t_IterMut'0 + meta "compute_max_steps" 1000000 - constant ab : Seq.seq (borrowed t_T'0) + let rec conjure'0 (_1:()) (return' (ret:t_GhostBox'0))= {[@expl:conjure requires] [%#sghost0] false} + (! bb0 [ bb0 = bb1 | bb1 = bb1 [ bb1 = (! bb2) [ bb2 = bb1 ] ] ] ) + [ return' (result:t_GhostBox'0)-> {[@expl:conjure result type invariant] [%#sghost1] inv'0 result} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi2175792468772189056__new [#"../../../creusot-contracts/src/ghost.rs" 181 4 181 28] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 181 24 181 28 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 + let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - constant b : t_IterMut'0 + type t_T'0 - constant bc : Seq.seq (borrowed t_T'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - constant c : t_IterMut'0 + use prelude.prelude.Intrinsic - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__ptr__qyi17063894948818224584__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (* <*const T as std::ptr::PointerExt> *) - let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed3] inv'0 self - use prelude.prelude.Opaque + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use prelude.prelude.Int + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant self : opaque_ptr + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool + meta "compute_max_steps" 1000000 - goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) + let rec new'0 (x:t_T'0) (return' (ret:t_GhostBox'0))= {[@expl:new 'x' type invariant] [%#sghost0] inv'0 x} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = x } ] s1 | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & x : t_T'0 = x ] + [ return' (result:t_GhostBox'0)-> {[@expl:new result type invariant] [%#sghost1] inv'1 result} + {[@expl:new ensures] [%#sghost2] result.t_GhostBox__0'0 = x} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__ptr__qyi4877913266695965320__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (* <*mut T as std::ptr::PointerExt> *) - let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 96 14 96 48 - let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 98 8 98 30 +module M_creusot_contracts__ghost__qyi2175792468772189056__into_inner [#"../../../creusot-contracts/src/ghost.rs" 199 4 199 32] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 199 31 199 32 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 + let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use prelude.prelude.Opaque + type t_T'0 - use prelude.prelude.Int + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 90 4 90 30] (self : opaque_ptr) : int + use prelude.prelude.Intrinsic - constant self : opaque_ptr + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (self : opaque_ptr) : bool + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed3] inv'1 self - goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) -end -module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 411 14 411 45 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 409 4 409 10 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - use prelude.prelude.Borrow + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - type t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - use seq.Seq + meta "compute_max_steps" 1000000 - use prelude.prelude.Opaque + let rec into_inner'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:into_inner 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 [ bb0 = bb1 | bb1 = s0 [ s0 = [ &_0 <- self.t_GhostBox__0'0 ] s1 | s1 = bb2 ] | bb2 = return' {_0} ] ) + [ & _0 : t_T'0 = any_l () | & self : t_GhostBox'0 = self ] + + [ return' (result:t_T'0)-> {[@expl:into_inner result type invariant] [%#sghost1] inv'1 result} + {[@expl:into_inner ensures] [%#sghost2] result = self.t_GhostBox__0'0} + (! return' {result}) ] + +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__subtract [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 195 15 195 33 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 196 14 196 36 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 197 14 197 46 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 198 14 202 5 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 180 14 184 5 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 204 8 204 33 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 154 12 154 89 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 146 19 146 71 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 163 15 163 35 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 164 14 170 5 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 171 14 171 54 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap12 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap13 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap16 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap17 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + type t_FMap'0 - type t_Iter'0 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_K'0 - use prelude.prelude.Slice + type t_V'0 - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use seq.Seq + use map.Map - use seq.Seq + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) + - use seq.Seq + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap17] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use prelude.prelude.UIntSize + use map.Map - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap14] Map.get (view'0 self) k - use prelude.prelude.UIntSize + function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + + = + [%#sfmap15] get_unsized'0 self k <> C_None'0 - use prelude.prelude.Int + function subset'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 152 4 152 44] (self : t_FMap'0) (other : t_FMap'0) : bool + + = + [%#sfmap6] forall k : t_K'0 . contains'0 self k -> get_unsized'0 other k = get_unsized'0 self k - use prelude.prelude.Slice + function disjoint'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 145 4 145 46] (self : t_FMap'0) (other : t_FMap'0) : bool + + = + [%#sfmap7] forall k : t_K'0 . not contains'0 self k \/ not contains'0 other k - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + use prelude.prelude.Int - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice8] view'2 self = Slice.id self) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel5] view'2 self + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap16] len'0 self >= 0 - use seq.Seq + function union'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 172 4 172 43] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + - use seq.Seq + axiom union'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap8] disjoint'0 self other) + -> ([%#sfmap9] forall k : t_K'0 . get_unsized'0 (union'0 self other) k + = (if contains'0 self k then + get_unsized'0 self k + else + if contains'0 other k then get_unsized'0 other k else C_None'0 + )) + && ([%#sfmap10] len'0 (union'0 self other) = len'0 self + len'0 other) - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool = - [%#sindex6] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + [%#sfmap13] view'0 self = view'0 other - use seq.Seq + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap11] ext_eq'0 self other -> self = other) + && ([%#sfmap12] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function subtract_keys'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 185 4 185 51] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - = - [%#sslice2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant self : t_Iter'0 + axiom subtract_keys'0_spec : forall self : t_FMap'0, other : t_FMap'0 . [%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k) - function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (self : t_Iter'0) : () + constant self : t_FMap'0 - goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 416 15 416 32 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 417 15 417 32 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 418 14 418 42 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 414 4 414 10 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + constant other : t_FMap'0 - use prelude.prelude.Opaque + function subtract'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + goal vc_subtract'0 : ([%#sfmap0] subset'0 other self) + -> ([%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k)) + -> (let result = subtract_keys'0 self other in ([%#sfmap1] disjoint'0 result other) + && ([%#sfmap2] ext_eq'0 (union'0 other result) self) + && ([%#sfmap3] forall k : t_K'0 . get_unsized'0 result k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k))) +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__ext_eq [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - type t_Iter'0 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_K'0 - use prelude.prelude.Borrow + type t_FMap'0 - type t_T'0 + type t_V'0 - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use prelude.prelude.Slice + use map.Map - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) + - use seq.Seq + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use seq.Seq + use map.Map - use seq.Seq + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] Map.get (view'0 self) k - use prelude.prelude.UIntSize + constant self : t_FMap'0 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + constant other : t_FMap'0 - use prelude.prelude.UIntSize + function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool + - use prelude.prelude.Int + goal vc_ext_eq'0 : ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) + -> ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) + -> (let result = view'0 self = view'0 other in ([%#sfmap0] result -> self = other) + && ([%#sfmap1] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> result)) +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__contains_ghost [#"../../../creusot-contracts/src/logic/fmap.rs" 285 4 285 49] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 285 27 285 31 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 285 33 285 36 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 284 14 284 43 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 314 22 314 26 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 314 28 314 31 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 314 40 314 50 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 306 4 313 11 + let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 36 26 36 51 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sutil11 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil12 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 + let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 452 20 452 91 + let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use prelude.prelude.Slice + use prelude.prelude.Borrow - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + type t_FMap'0 - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice10] view'2 self = Slice.id self) + type t_K'0 - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel7] view'2 self + type t_V'0 - use seq.Seq + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - use seq.Seq + use map.Map - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - = - [%#sindex8] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap14] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use seq.Seq + use map.Map - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#sslice4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - - constant a : t_Iter'0 + [%#sfmap10] Map.get (view'0 self) k - constant ab : Seq.seq t_T'0 + function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + + = + [%#sfmap8] get_unsized'0 self k <> C_None'1 - constant b : t_Iter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - constant bc : Seq.seq t_T'0 + function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'1) : t_V'0 - constant c : t_Iter'0 + axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil11] op <> C_None'1) + -> ([%#sutil12] C_Some'1 (unwrap'0 op) = op) - function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + function lookup_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 123 4 123 50] (self : t_FMap'0) (k : t_K'0) : t_V'0 + = + [%#sfmap9] unwrap'0 (get_unsized'0 self k) - goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) - -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 465 14 465 45 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 463 4 463 10 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - let%span smodel8 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sindex9 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - use seq.Seq + predicate invariant'5 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_V'0) = + [%#sboxed16] inv'7 self - use prelude.prelude.Borrow + predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - type t_T'0 + axiom inv_axiom'6 [@rewrite] : forall x : t_V'0 [inv'8 x] . inv'8 x = invariant'5 x - use seq.Seq + predicate invariant'4 [#"../../../creusot-contracts/src/logic/fmap.rs" 451 4 451 30] (self : t_FMap'0) = + [%#sfmap15] forall k : t_K'0 . contains'0 self k -> inv'6 k /\ inv'8 (lookup_unsized'0 self k) - use prelude.prelude.Opaque + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + axiom inv_axiom'5 [@rewrite] : forall x : t_FMap'0 [inv'5 x] . inv'5 x = invariant'4 x - type t_IterMut'0 = - { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_FMap'0) = + [%#sinvariant13] inv'5 self - use seq.Seq + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) - use prelude.prelude.UIntSize + axiom inv_axiom'0 [@rewrite] : forall x : t_FMap'0 [inv'0 x] . inv'0 x = invariant'0 x - constant v_MAX'0 : usize = (18446744073709551615 : usize) + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_K'0) = + [%#sinvariant13] inv'6 self - use prelude.prelude.UIntSize + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - use prelude.prelude.Int + axiom inv_axiom'1 [@rewrite] : forall x : t_K'0 [inv'1 x] . inv'1 x = invariant'1 x - use prelude.prelude.Slice + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use prelude.prelude.Slice + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_V'0) = + [%#sinvariant13] inv'7 self - use seq.Seq + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + axiom inv_axiom'4 [@rewrite] : forall x : t_V'0 [inv'4 x] . inv'4 x = invariant'3 x - axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice6] Seq.length (view'1 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice7] view'1 self = Slice.id self) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + axiom inv_axiom'2 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + let rec get_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:t_Option'0))= {[@expl:get_ghost 'self' type invariant] [%#sfmap3] inv'0 self} + {[@expl:get_ghost 'key' type invariant] [%#sfmap4] inv'1 key} + any + [ return' (result:t_Option'0)-> {[%#sfmap5] inv'2 result} + {[%#sfmap6] if contains'0 self key then + match result with + | C_None'0 -> false + | C_Some'0 r -> lookup_unsized'0 self key = r + end + else + result = C_None'0 + } + (! return' {result}) ] - axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice3] Seq.length (view'1 (view'0 self).final) - = Seq.length (view'1 (view'0 self).current) + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Option'0) = + [%#sinvariant13] inv'2 self - use seq.Seq + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 - - = - [%#smodel8] view'1 self.current + axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x = invariant'2 x - use seq.Seq + let rec is_some'0 (self:t_Option'0) (return' (ret:bool))= {[@expl:is_some 'self' type invariant] inv'3 self} + any [ return' (result:bool)-> {[%#soption7] result = (self <> C_None'0)} (! return' {result}) ] - use seq.Seq + use prelude.prelude.Intrinsic - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex9] Seq.get (view'1 self) ix + meta "compute_max_steps" 1000000 - function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) + let rec contains_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:bool))= {[@expl:contains_ghost 'self' type invariant] [%#sfmap0] inv'0 self} + {[@expl:contains_ghost 'key' type invariant] [%#sfmap1] inv'1 key} + (! bb0 + [ bb0 = s0 [ s0 = get_ghost'0 {self} {key} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = is_some'0 {_5} (fun (_ret':bool) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : bool = any_l () | & self : t_FMap'0 = self | & key : t_K'0 = key | & _5 : t_Option'0 = any_l () ] + [ return' (result:bool)-> {[@expl:contains_ghost ensures] [%#sfmap2] result = contains'0 self key} + (! return' {result}) ] +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice4] Seq.length (to_mut_seq'0 self) - = Seq.length (view'2 self)) - && ([%#sslice5] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) - -> Seq.get (to_mut_seq'0 self) i - = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#sslice2] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - - constant self : t_IterMut'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (self : t_IterMut'0) : () + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self -end -module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 470 15 470 32 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 471 15 471 32 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 472 14 472 42 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 468 4 468 10 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - let%span smodel10 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sindex11 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + constant x : int - use prelude.prelude.Opaque + constant y : int - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int) (y : int) : () - type t_IterMut'0 = - { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - use prelude.prelude.UIntSize + constant y : int - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int) (y : int) : () - use prelude.prelude.UIntSize + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Slice + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Slice + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + constant y : int - axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice8] Seq.length (view'1 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice9] view'1 self = Slice.id self) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int) (y : int) : () - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) - + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice5] Seq.length (view'1 (view'0 self).final) - = Seq.length (view'1 (view'0 self).current) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#smodel10] view'1 self.current + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - use seq.Seq + constant y : int - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex11] Seq.get (view'1 self) ix + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int) (y : int) : () - function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice6] Seq.length (to_mut_seq'0 self) - = Seq.length (view'2 self)) - && ([%#sslice7] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) - -> Seq.get (to_mut_seq'0 self) i - = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#sslice4] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - - constant a : t_IterMut'0 - - constant ab : Seq.seq (borrowed t_T'0) - - constant b : t_IterMut'0 - - constant bc : Seq.seq (borrowed t_T'0) + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant c : t_IterMut'0 + constant x : int - function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int) : () - goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) - -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_refl [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (* as std::iter::Iterator> *) - let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 270 14 270 45 - let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 268 4 268 10 - let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 +module M_creusot_contracts__logic__ord__qyi8355372356285216375__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use seq.Seq + use prelude.prelude.Int - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Opaque + constant x : int - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + constant y : int - use prelude.prelude.UIntSize + constant z : int - type t_A'0 + constant o : t_Ordering'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_A'0 } + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int) (y : int) (z : int) (o : t_Ordering'0) : () + - type t_IntoIter'0 = - { t_IntoIter__buf'0: t_NonNull'0; - t_IntoIter__phantom'0: (); - t_IntoIter__cap'0: usize; - t_IntoIter__alloc'0: t_ManuallyDrop'0; - t_IntoIter__ptr'0: t_NonNull'0; - t_IntoIter__end'0: opaque_ptr } + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#svec2] view'0 self = Seq.(++) visited (view'0 rhs) + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant self : t_IntoIter'0 + constant x : int - function produces_refl'0 [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (self : t_IntoIter'0) : () + constant y : int - goal vc_produces_refl'0 : [%#svec0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_trans [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (* as std::iter::Iterator> *) - let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 275 15 275 32 - let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 276 15 276 32 - let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 277 14 277 42 - let%span svec3 = "../../../creusot-contracts/src/std/vec.rs" 273 4 273 10 - let%span svec4 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int) (y : int) : () - use prelude.prelude.Opaque + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + use prelude.prelude.Int - use prelude.prelude.UIntSize + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_A'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_A'0 } + constant x : int - type t_IntoIter'0 = - { t_IntoIter__buf'0: t_NonNull'0; - t_IntoIter__phantom'0: (); - t_IntoIter__cap'0: usize; - t_IntoIter__alloc'0: t_ManuallyDrop'0; - t_IntoIter__ptr'0: t_NonNull'0; - t_IntoIter__end'0: opaque_ptr } + constant y : int - type t_T'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int) (y : int) : () - use seq.Seq + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#svec4] view'0 self = Seq.(++) visited (view'0 rhs) - - constant a : t_IntoIter'0 - - constant ab : Seq.seq t_T'0 - - constant b : t_IntoIter'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant bc : Seq.seq t_T'0 + constant x : int - constant c : t_IntoIter'0 + constant y : int - function produces_trans'0 [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int) (y : int) : () - goal vc_produces_trans'0 : ([%#svec1] produces'0 b bc c) - -> ([%#svec0] produces'0 a ab b) -> ([%#svec2] produces'0 a (Seq.(++) ab bc) c) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : Real.real) (y : Real.real) : () - + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint8) (y : uint8) : () - goal vc_cmp_le_log'0 : [%#sord0] Real.(<=) x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : Real.real) (y : Real.real) : () - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint8) (y : uint8) : () - goal vc_cmp_lt_log'0 : [%#sord0] Real.(<) x y = (cmp_log'0 x y = C_Less'0) + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 - | C_Greater'0 - - use prelude.prelude.Real + | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : Real.real) (y : Real.real) : () - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint8) (y : uint8) : () - goal vc_cmp_ge_log'0 : [%#sord0] Real.(>=) x y = (cmp_log'0 x y <> C_Less'0) + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : Real.real) (y : Real.real) : () - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint8) (y : uint8) : () - goal vc_cmp_gt_log'0 : [%#sord0] Real.(>) x y = (cmp_log'0 x y = C_Greater'0) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : Real.real) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint8) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__num_rational__qyi7156484438548626841__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span snum_rational4 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational4] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - constant z : Real.real + constant z : uint8 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : Real.real) (y : Real.real) (z : Real.real) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint8) (y : uint8) (z : uint8) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : Real.real) (y : Real.real) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint8) (y : uint8) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : Real.real) (y : Real.real) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint8) (y : uint8) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : Real.real) (y : Real.real) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint8) (y : uint8) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__ghost__qyi17645547594388049322__clone [#"../../../creusot-contracts/src/ghost.rs" 50 4 50 27] (* as std::clone::Clone> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 50 14 50 18 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 50 23 50 27 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 49 14 49 29 - let%span sclone3 = "../../../creusot-contracts/src/std/clone.rs" 7 0 20 1 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - - type t_T'0 - - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } - - use prelude.prelude.Borrow - - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'4 self - - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'2 x - - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant4] inv'3 self - - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - - let rec clone'1 (self:t_T'0) (return' (ret:t_T'0))= {[@expl:clone 'self' type invariant] inv'2 self} - any [ return' (result:t_T'0)-> {inv'3 result} {[%#sclone3] result = self} (! return' {result}) ] +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.Int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt16 - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'3 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = - [%#sinvariant4] inv'1 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant x : uint16 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x + constant y : uint16 - meta "compute_max_steps" 1000000 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint16) (y : uint16) : () - let rec clone'0 (self:t_GhostBox'0) (return' (ret:t_GhostBox'0))= {[@expl:clone 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 [ s0 = clone'1 {self.t_GhostBox__0'0} (fun (_ret':t_T'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = _3 } ] s1 | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'0 = self | & _3 : t_T'0 = any_l () ] - [ return' (result:t_GhostBox'0)-> {[@expl:clone result type invariant] [%#sghost1] inv'1 result} - {[@expl:clone ensures] [%#sghost2] result = self} - (! return' {result}) ] - + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__ghost__qyi1862168959261460300__deref [#"../../../creusot-contracts/src/ghost.rs" 69 4 69 36] (* as std::ops::Deref> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 69 23 69 36 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.Int - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + use prelude.prelude.UInt16 - use prelude.prelude.Borrow + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Intrinsic + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint16 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'3 self + constant y : uint16 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint16) (y : uint16) : () - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.Int - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'2 x] . inv'2 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + use prelude.prelude.UInt16 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = - [%#sinvariant3] inv'2 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x + constant x : uint16 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant3] inv'3 self + constant y : uint16 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint16) (y : uint16) : () - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'1 x + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec deref'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:deref 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 - [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 - | s1 = [ &_4 <- _5 ] s2 - | s2 = [ &_2 <- _4 ] s3 - | s3 = [ &_0 <- _2 ] s4 - | s4 = return' {_0} ] - ] - ) - [ & _0 : t_T'0 = any_l () - | & self : t_GhostBox'0 = self - | & _2 : t_T'0 = any_l () - | & _4 : t_T'0 = any_l () - | & _5 : t_T'0 = any_l () ] - - [ return' (result:t_T'0)-> {[@expl:deref result type invariant] [%#sghost1] inv'1 result} - {[@expl:deref ensures] [%#sghost2] self.t_GhostBox__0'0 = result} - (! return' {result}) ] - -end -module M_creusot_contracts__ghost__qyi17214052996668775070__deref_mut [#"../../../creusot-contracts/src/ghost.rs" 85 4 85 48] (* as std::ops::DerefMut> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 85 22 85 26 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 85 31 85 48 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 84 14 84 36 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + use prelude.prelude.UInt16 - use prelude.prelude.Borrow + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_T'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint16 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + constant y : uint16 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant4] inv'0 self.current /\ inv'0 self.final + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint16) (y : uint16) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + use prelude.prelude.UInt16 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'2 _1 + use prelude.prelude.Int - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'0 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint16 - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint16) : () - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + use prelude.prelude.UInt16 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'0)) = - [%#sinvariant4] inv'3 self.current /\ inv'3 self.final + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'0)) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'0) [inv'2 x] . inv'2 x = invariant'1 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'0)) = - [%#sresolve3] self.final = self.current + constant x : uint16 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'0)) = - resolve'3 _1 + constant y : uint16 - use prelude.prelude.Intrinsic + constant z : uint16 - meta "compute_max_steps" 1000000 + constant o : t_Ordering'0 - let rec deref_mut'0 (self:borrowed (t_GhostBox'0)) (return' (ret:borrowed t_T'0))= {[@expl:deref_mut 'self' type invariant] [%#sghost0] inv'2 self} - (! bb0 - [ bb0 = s0 - [ s0 = {inv'0 (self.current).t_GhostBox__0'0} - Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_T'0) -> - [ &_5 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] - s1) - | s1 = {inv'0 _5.current} - Borrow.borrow_final {_5.current} {Borrow.get_id _5} - (fun (_ret':borrowed t_T'0) -> - [ &_4 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_5 <- { _5 with current = _ret'.final } ] - s2) - | s2 = {inv'0 _4.current} - Borrow.borrow_final {_4.current} {Borrow.get_id _4} - (fun (_ret':borrowed t_T'0) -> - [ &_2 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_4 <- { _4 with current = _ret'.final } ] - s3) - | s3 = {inv'0 _2.current} - Borrow.borrow_final {_2.current} {Borrow.get_id _2} - (fun (_ret':borrowed t_T'0) -> - [ &_0 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_2 <- { _2 with current = _ret'.final } ] - s4) - | s4 = {[@expl:type invariant] inv'1 _5} s5 - | s5 = -{resolve'0 _5}- s6 - | s6 = {[@expl:type invariant] inv'1 _4} s7 - | s7 = -{resolve'0 _4}- s8 - | s8 = {[@expl:type invariant] inv'1 _2} s9 - | s9 = -{resolve'0 _2}- s10 - | s10 = {[@expl:type invariant] inv'2 self} s11 - | s11 = -{resolve'1 self}- s12 - | s12 = return' {_0} ] - ] - ) - [ & _0 : borrowed t_T'0 = any_l () - | & self : borrowed (t_GhostBox'0) = self - | & _2 : borrowed t_T'0 = any_l () - | & _4 : borrowed t_T'0 = any_l () - | & _5 : borrowed t_T'0 = any_l () ] - - [ return' (result:borrowed t_T'0)-> {[@expl:deref_mut result type invariant] [%#sghost1] inv'1 result} - {[@expl:deref_mut ensures] [%#sghost2] result - = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} - (! return' {result}) ] + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint16) (y : uint16) (z : uint16) (o : t_Ordering'0) : () + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__ghost__qyi2175792468772189056__borrow [#"../../../creusot-contracts/src/ghost.rs" 124 4 124 40] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 124 19 124 23 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 124 28 124 40 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 123 14 123 35 - let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.UInt16 - type t_GhostBox'1 = - { t_GhostBox__0'0: t_T'0 } + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_GhostBox'0 = - { t_GhostBox__0'1: t_T'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Intrinsic + constant x : uint16 - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant y : uint16 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'6 self + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint16) (y : uint16) : () - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'4 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + use prelude.prelude.UInt16 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'3 [@rewrite] : forall x : t_GhostBox'1 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + use prelude.prelude.Int - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'1) = - [%#sinvariant3] inv'3 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + constant x : uint16 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'1 [inv'0 x] . inv'0 x = invariant'0 x + constant y : uint16 - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant3] inv'6 self + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint16) (y : uint16) : () - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'3 x + use prelude.prelude.UInt16 - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'5 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Int - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant x : uint16 - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'1 = a_0} -> inv'2 a_0 - end + constant y : uint16 - meta "compute_max_steps" 1000000 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint16) (y : uint16) : () - let rec borrow'0 (self:t_GhostBox'1) (return' (ret:t_GhostBox'0))= {[@expl:borrow 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _5 } ] s1 | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'1 = self | & _5 : t_T'0 = any_l () ] - [ return' (result:t_GhostBox'0)-> {[@expl:borrow result type invariant] [%#sghost1] inv'1 result} - {[@expl:borrow ensures] [%#sghost2] result.t_GhostBox__0'1 = self.t_GhostBox__0'0} - (! return' {result}) ] - + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__ghost__qyi2175792468772189056__borrow_mut [#"../../../creusot-contracts/src/ghost.rs" 138 4 138 52] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 138 27 138 31 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 138 36 138 52 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 137 14 137 39 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_T'0 + use prelude.prelude.UInt32 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_GhostBox'1 = - { t_GhostBox__0'0: t_T'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_GhostBox'0 = - { t_GhostBox__0'1: borrowed t_T'0 } + constant x : uint32 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant4] inv'0 self.current /\ inv'0 self.final + constant y : uint32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint32) (y : uint32) : () - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + use prelude.prelude.Int - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'2 _1 + use prelude.prelude.UInt32 - predicate invariant'3 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'0 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'6 x] . inv'6 x = invariant'3 x + constant x : uint32 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + constant y : uint32 - axiom inv_axiom'4 [@rewrite] : forall x : t_GhostBox'1 [inv'5 x] . inv'5 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'6 a_0 - end + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint32) (y : uint32) : () - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'1)) = - [%#sinvariant4] inv'5 self.current /\ inv'5 self.final + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'1)) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'1) [inv'2 x] . inv'2 x = invariant'1 x + use prelude.prelude.UInt32 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'1)) = - [%#sresolve3] self.final = self.current + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'1)) = - resolve'3 _1 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Intrinsic + constant x : uint32 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : borrowed t_T'0) = - [%#sboxed5] inv'1 self + constant y : uint32 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint32) (y : uint32) : () - axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.Int - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'1 = a_0} -> inv'4 a_0 - end + use prelude.prelude.UInt32 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec borrow_mut'0 (self:borrowed (t_GhostBox'1)) (return' (ret:t_GhostBox'0))= {[@expl:borrow_mut 'self' type invariant] [%#sghost0] inv'2 self} - (! bb0 - [ bb0 = s0 - [ s0 = {inv'0 (self.current).t_GhostBox__0'0} - Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_T'0) -> - [ &_5 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] - s1) - | s1 = {inv'0 _5.current} - Borrow.borrow_final {_5.current} {Borrow.get_id _5} - (fun (_ret':borrowed t_T'0) -> - [ &_4 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_5 <- { _5 with current = _ret'.final } ] - s2) - | s2 = bb1 ] - - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _4 } ] s1 | s1 = bb2 ] - | bb2 = s0 - [ s0 = {[@expl:type invariant] inv'1 _5} s1 - | s1 = -{resolve'0 _5}- s2 - | s2 = {[@expl:type invariant] inv'2 self} s3 - | s3 = -{resolve'1 self}- s4 - | s4 = return' {_0} ] - ] - ) - [ & _0 : t_GhostBox'0 = any_l () - | & self : borrowed (t_GhostBox'1) = self - | & _4 : borrowed t_T'0 = any_l () - | & _5 : borrowed t_T'0 = any_l () ] - - [ return' (result:t_GhostBox'0)-> {[@expl:borrow_mut result type invariant] [%#sghost1] inv'3 result} - {[@expl:borrow_mut ensures] [%#sghost2] result.t_GhostBox__0'1 - = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__conjure [#"../../../creusot-contracts/src/ghost.rs" 155 4 155 28] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 154 15 154 20 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 155 24 155 28 - let%span sboxed2 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - - type t_T'0 - - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint32 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed2] inv'2 self + constant y : uint32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint32) (y : uint32) : () - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt32 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'1 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec conjure'0 (_1:()) (return' (ret:t_GhostBox'0))= {[@expl:conjure requires] [%#sghost0] false} - (! bb0 [ bb0 = bb1 | bb1 = bb1 [ bb1 = (! bb2) [ bb2 = bb1 ] ] ] ) - [ return' (result:t_GhostBox'0)-> {[@expl:conjure result type invariant] [%#sghost1] inv'0 result} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__new [#"../../../creusot-contracts/src/ghost.rs" 181 4 181 28] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 181 24 181 28 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 - let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_T'0 + constant x : uint32 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint32) : () + + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.UInt32 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed3] inv'0 self + use prelude.prelude.Int - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + constant x : uint32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant y : uint32 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + constant z : uint32 - meta "compute_max_steps" 1000000 + constant o : t_Ordering'0 - let rec new'0 (x:t_T'0) (return' (ret:t_GhostBox'0))= {[@expl:new 'x' type invariant] [%#sghost0] inv'0 x} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = x } ] s1 | s1 = bb3 ] - | bb3 = bb4 - | bb4 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & x : t_T'0 = x ] - [ return' (result:t_GhostBox'0)-> {[@expl:new result type invariant] [%#sghost1] inv'1 result} - {[@expl:new ensures] [%#sghost2] result.t_GhostBox__0'0 = x} - (! return' {result}) ] + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint32) (y : uint32) (z : uint32) (o : t_Ordering'0) : () + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__ghost__qyi2175792468772189056__into_inner [#"../../../creusot-contracts/src/ghost.rs" 199 4 199 32] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 199 31 199 32 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.UInt32 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Intrinsic + use prelude.prelude.Int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed3] inv'1 self + constant x : uint32 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant y : uint32 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint32) (y : uint32) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + use prelude.prelude.UInt32 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec into_inner'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:into_inner 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 [ bb0 = bb1 | bb1 = s0 [ s0 = [ &_0 <- self.t_GhostBox__0'0 ] s1 | s1 = bb2 ] | bb2 = return' {_0} ] ) - [ & _0 : t_T'0 = any_l () | & self : t_GhostBox'0 = self ] - - [ return' (result:t_T'0)-> {[@expl:into_inner result type invariant] [%#sghost1] inv'1 result} - {[@expl:into_inner ensures] [%#sghost2] result = self.t_GhostBox__0'0} - (! return' {result}) ] - -end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__subtract [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 195 15 195 33 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 196 14 196 36 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 197 14 197 46 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 198 14 202 5 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 180 14 184 5 - let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 204 8 204 33 - let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 154 12 154 89 - let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 146 19 146 71 - let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 163 15 163 35 - let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 164 14 170 5 - let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 171 14 171 54 - let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 - let%span sfmap12 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 - let%span sfmap13 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 - let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 - let%span sfmap16 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 - let%span sfmap17 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + use prelude.prelude.Int - type t_FMap'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_K'0 + constant x : uint32 - type t_V'0 + constant y : uint32 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint32) (y : uint32) : () - use map.Map + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) - + use prelude.prelude.UInt32 - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap17] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use map.Map + use prelude.prelude.Int - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 = - [%#sfmap14] Map.get (view'0 self) k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool - - = - [%#sfmap15] get_unsized'0 self k <> C_None'0 + constant x : uint32 - function subset'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 152 4 152 44] (self : t_FMap'0) (other : t_FMap'0) : bool - - = - [%#sfmap6] forall k : t_K'0 . contains'0 self k -> get_unsized'0 other k = get_unsized'0 self k + constant y : uint32 - function disjoint'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 145 4 145 46] (self : t_FMap'0) (other : t_FMap'0) : bool - - = - [%#sfmap7] forall k : t_K'0 . not contains'0 self k \/ not contains'0 other k + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint32) (y : uint32) : () + + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int + use prelude.prelude.UInt64 - axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap16] len'0 self >= 0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function union'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 172 4 172 43] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom union'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap8] disjoint'0 self other) - -> ([%#sfmap9] forall k : t_K'0 . get_unsized'0 (union'0 self other) k - = (if contains'0 self k then - get_unsized'0 self k - else - if contains'0 other k then get_unsized'0 other k else C_None'0 - )) - && ([%#sfmap10] len'0 (union'0 self other) = len'0 self + len'0 other) + constant x : uint64 - function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool - - = - [%#sfmap13] view'0 self = view'0 other + constant y : uint64 - axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap11] ext_eq'0 self other -> self = other) - && ([%#sfmap12] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint64) (y : uint64) : () - function subtract_keys'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 185 4 185 51] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom subtract_keys'0_spec : forall self : t_FMap'0, other : t_FMap'0 . [%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k) + use prelude.prelude.Int - constant self : t_FMap'0 + use prelude.prelude.UInt64 - constant other : t_FMap'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function subtract'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - goal vc_subtract'0 : ([%#sfmap0] subset'0 other self) - -> ([%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k)) - -> (let result = subtract_keys'0 self other in ([%#sfmap1] disjoint'0 result other) - && ([%#sfmap2] ext_eq'0 (union'0 other result) self) - && ([%#sfmap3] forall k : t_K'0 . get_unsized'0 result k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k))) + constant x : uint64 + + constant y : uint64 + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint64) (y : uint64) : () + + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__ext_eq [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + + use prelude.prelude.Int + + use prelude.prelude.UInt64 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_K'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_FMap'0 + constant x : uint64 - type t_V'0 + constant y : uint64 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint64) (y : uint64) : () - use map.Map + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) - + use prelude.prelude.Int - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + use prelude.prelude.UInt64 - use map.Map + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap4] Map.get (view'0 self) k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant self : t_FMap'0 + constant x : uint64 - constant other : t_FMap'0 + constant y : uint64 - function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint64) (y : uint64) : () - goal vc_ext_eq'0 : ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) - -> ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) - -> (let result = view'0 self = view'0 other in ([%#sfmap0] result -> self = other) - && ([%#sfmap1] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> result)) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__contains_ghost [#"../../../creusot-contracts/src/logic/fmap.rs" 285 4 285 49] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 285 27 285 31 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 285 33 285 36 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 284 14 284 43 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 314 22 314 26 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 314 28 314 31 - let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 314 40 314 50 - let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 306 4 313 11 - let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 36 26 36 51 - let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 - let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 - let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - let%span sutil11 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 - let%span sutil12 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 - let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 452 20 452 91 - let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.UInt64 - type t_FMap'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_K'0 + use prelude.prelude.Int - type t_V'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_Option'1 = - | C_None'1 - | C_Some'1 t_V'0 + constant x : uint64 - use map.Map + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint64) : () - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap14] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + use prelude.prelude.UInt64 - use map.Map + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 - - = - [%#sfmap10] Map.get (view'0 self) k + use prelude.prelude.Int - function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap8] get_unsized'0 self k <> C_None'1 - - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - - function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'1) : t_V'0 + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil11] op <> C_None'1) - -> ([%#sutil12] C_Some'1 (unwrap'0 op) = op) + constant x : uint64 - function lookup_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 123 4 123 50] (self : t_FMap'0) (k : t_K'0) : t_V'0 - - = - [%#sfmap9] unwrap'0 (get_unsized'0 self k) + constant y : uint64 - predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + constant z : uint64 - predicate invariant'5 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_V'0) = - [%#sboxed16] inv'7 self + constant o : t_Ordering'0 - predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint64) (y : uint64) (z : uint64) (o : t_Ordering'0) : () + - axiom inv_axiom'6 [@rewrite] : forall x : t_V'0 [inv'8 x] . inv'8 x = invariant'5 x + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate invariant'4 [#"../../../creusot-contracts/src/logic/fmap.rs" 451 4 451 30] (self : t_FMap'0) = - [%#sfmap15] forall k : t_K'0 . contains'0 self k -> inv'6 k /\ inv'8 (lookup_unsized'0 self k) + use prelude.prelude.UInt64 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'5 [@rewrite] : forall x : t_FMap'0 [inv'5 x] . inv'5 x = invariant'4 x + use prelude.prelude.Int - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_FMap'0) = - [%#sinvariant13] inv'5 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) + constant x : uint64 - axiom inv_axiom'0 [@rewrite] : forall x : t_FMap'0 [inv'0 x] . inv'0 x = invariant'0 x + constant y : uint64 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_K'0) = - [%#sinvariant13] inv'6 self + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint64) (y : uint64) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'1 [@rewrite] : forall x : t_K'0 [inv'1 x] . inv'1 x = invariant'1 x + use prelude.prelude.UInt64 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_V'0) = - [%#sinvariant13] inv'7 self + use prelude.prelude.Int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'4 [@rewrite] : forall x : t_V'0 [inv'4 x] . inv'4 x = invariant'3 x + constant x : uint64 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + constant y : uint64 - axiom inv_axiom'2 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint64) (y : uint64) : () - let rec get_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:t_Option'0))= {[@expl:get_ghost 'self' type invariant] [%#sfmap3] inv'0 self} - {[@expl:get_ghost 'key' type invariant] [%#sfmap4] inv'1 key} - any - [ return' (result:t_Option'0)-> {[%#sfmap5] inv'2 result} - {[%#sfmap6] if contains'0 self key then - match result with - | C_None'0 -> false - | C_Some'0 r -> lookup_unsized'0 self key = r - end - else - result = C_None'0 - } - (! return' {result}) ] - + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Option'0) = - [%#sinvariant13] inv'2 self + use prelude.prelude.UInt64 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x = invariant'2 x + use prelude.prelude.Int - let rec is_some'0 (self:t_Option'0) (return' (ret:bool))= {[@expl:is_some 'self' type invariant] inv'3 self} - any [ return' (result:bool)-> {[%#soption7] result = (self <> C_None'0)} (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Intrinsic + constant x : uint64 - meta "compute_max_steps" 1000000 + constant y : uint64 - let rec contains_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:bool))= {[@expl:contains_ghost 'self' type invariant] [%#sfmap0] inv'0 self} - {[@expl:contains_ghost 'key' type invariant] [%#sfmap1] inv'1 key} - (! bb0 - [ bb0 = s0 [ s0 = get_ghost'0 {self} {key} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = is_some'0 {_5} (fun (_ret':bool) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : bool = any_l () | & self : t_FMap'0 = self | & key : t_K'0 = key | & _5 : t_Option'0 = any_l () ] - [ return' (result:bool)-> {[@expl:contains_ghost ensures] [%#sfmap2] result = contains'0 self key} - (! return' {result}) ] - + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint64) (y : uint64) : () + + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int) (y : int) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint128) (y : uint128) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int) (y : int) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint128) (y : uint128) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int) (y : int) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint128) (y : uint128) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int) (y : int) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint128) (y : uint128) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint128) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - constant z : int + constant z : uint128 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int) (y : int) (z : int) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint128) (y : uint128) (z : uint128) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int) (y : int) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint128) (y : uint128) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int) (y : int) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint128) (y : uint128) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int) (y : int) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint128) (y : uint128) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint8) (y : uint8) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : usize) (y : usize) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint8) (y : uint8) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : usize) (y : usize) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint8) (y : uint8) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : usize) (y : usize) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint8) (y : uint8) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : usize) (y : usize) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11086,25 +14448,25 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint8) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : usize) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11113,31 +14475,31 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - constant z : uint8 + constant z : usize constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint8) (y : uint8) (z : uint8) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : usize) (y : usize) (z : usize) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11146,26 +14508,26 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint8) (y : uint8) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : usize) (y : usize) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11174,25 +14536,25 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint8) (y : uint8) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : usize) (y : usize) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11201,133 +14563,133 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint8) (y : uint8) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : usize) (y : usize) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint16) (y : uint16) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int8) (y : int8) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint16) (y : uint16) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int8) (y : int8) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint16) (y : uint16) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int8) (y : int8) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint16) (y : uint16) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int8) (y : int8) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11336,25 +14698,25 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint16) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int8) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11363,31 +14725,31 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - constant z : uint16 + constant z : int8 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint16) (y : uint16) (z : uint16) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int8) (y : int8) (z : int8) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11396,26 +14758,26 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint16) (y : uint16) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int8) (y : int8) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11424,25 +14786,25 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint16) (y : uint16) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int8) (y : int8) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11451,133 +14813,133 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint16) (y : uint16) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int8) (y : int8) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint32) (y : uint32) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int16) (y : int16) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint32) (y : uint32) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int16) (y : int16) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint32) (y : uint32) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int16) (y : int16) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint32) (y : uint32) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int16) (y : int16) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11586,25 +14948,25 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint32) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int16) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11613,31 +14975,31 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - constant z : uint32 + constant z : int16 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint32) (y : uint32) (z : uint32) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int16) (y : int16) (z : int16) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11646,26 +15008,26 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint32) (y : uint32) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int16) (y : int16) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11674,25 +15036,25 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint32) (y : uint32) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int16) (y : int16) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11701,133 +15063,133 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint32) (y : uint32) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int16) (y : int16) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint64) (y : uint64) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int32) (y : int32) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint64) (y : uint64) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int32) (y : int32) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint64) (y : uint64) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int32) (y : int32) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint64) (y : uint64) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int32) (y : int32) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11836,25 +15198,25 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint64) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int32) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11863,31 +15225,31 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - constant z : uint64 + constant z : int32 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint64) (y : uint64) (z : uint64) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int32) (y : int32) (z : int32) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11896,26 +15258,26 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint64) (y : uint64) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int32) (y : int32) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11924,25 +15286,25 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint64) (y : uint64) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int32) (y : int32) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11951,133 +15313,133 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint64) (y : uint64) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int32) (y : int32) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint128) (y : uint128) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int64) (y : int64) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint128) (y : uint128) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int64) (y : int64) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint128) (y : uint128) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int64) (y : int64) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint128) (y : uint128) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int64) (y : int64) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12086,25 +15448,25 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint128) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int64) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12113,31 +15475,31 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - constant z : uint128 + constant z : int64 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint128) (y : uint128) (z : uint128) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int64) (y : int64) (z : int64) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12146,26 +15508,26 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint128) (y : uint128) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int64) (y : int64) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12174,25 +15536,25 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint128) (y : uint128) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int64) (y : int64) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12201,133 +15563,133 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint128) (y : uint128) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int64) (y : int64) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : usize) (y : usize) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int128) (y : int128) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : usize) (y : usize) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int128) (y : int128) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : usize) (y : usize) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int128) (y : int128) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : usize) (y : usize) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int128) (y : int128) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12336,25 +15698,25 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : usize) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int128) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12363,31 +15725,31 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - constant z : usize + constant z : int128 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : usize) (y : usize) (z : usize) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int128) (y : int128) (z : int128) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12396,26 +15758,26 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : usize) (y : usize) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int128) (y : int128) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12424,25 +15786,25 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : usize) (y : usize) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int128) (y : int128) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12451,133 +15813,133 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : usize) (y : usize) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int128) (y : int128) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int8) (y : int8) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : isize) (y : isize) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int8) (y : int8) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : isize) (y : isize) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int8) (y : int8) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : isize) (y : isize) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int8) (y : int8) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : isize) (y : isize) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12586,25 +15948,25 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int8) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : isize) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12613,31 +15975,31 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - constant z : int8 + constant z : isize constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int8) (y : int8) (z : int8) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : isize) (y : isize) (z : isize) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12646,26 +16008,26 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int8) (y : int8) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : isize) (y : isize) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12674,25 +16036,25 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int8) (y : int8) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : isize) (y : isize) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12701,1548 +16063,1363 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int8) (y : int8) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : isize) (y : isize) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o <> C_Greater'0 - constant y : int16 + constant x : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : bool) (y : bool) : () + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o = C_Less'0 - constant y : int16 + constant x : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : bool) (y : bool) : () + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o <> C_Less'0 - constant y : int16 + constant x : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : bool) (y : bool) : () + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o = C_Greater'0 - constant y : int16 + constant x : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : bool) (y : bool) : () + + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int16) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : bool) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord4] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - constant z : int16 + constant z : bool constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int16) (y : int16) (z : int16) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : bool) (y : bool) (z : bool) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int16) (y : int16) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : bool) (y : bool) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int16) (y : int16) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : bool) (y : bool) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int16) (y : int16) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : bool) (y : bool) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* <(A, B) as logic::ord::OrdLogic> *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 276 20 276 68 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int32 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int32) (y : int32) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - use prelude.prelude.Int32 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int32 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int32) (y : int32) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int32 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int32 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int32 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int32) (y : int32) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int32 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int32) (y : int32) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int32 + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int32) : () + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int32 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + axiom cmp_le_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'2 x y = (cmp_log'1 x y <> C_Greater'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 275 4 275 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ le_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ lt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) - constant y : int32 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant z : int32 + constant x : (t_A'0, t_B'0) - constant o : t_Ordering'0 + constant y : (t_A'0, t_B'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int32) (y : int32) (z : int32) (o : t_Ordering'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 282 20 282 67 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int32 + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int32 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int32) (y : int32) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int32 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int32 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int32 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int32) (y : int32) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int32 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 - - constant y : int32 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int32) (y : int32) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use prelude.prelude.Int64 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int64 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int64) (y : int64) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : int64 + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant y : int64 + function lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int64) (y : int64) : () + function cmp_lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'2 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int64 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 281 4 281 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ lt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ lt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) - constant x : int64 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant y : int64 + constant x : (t_A'0, t_B'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int64) (y : int64) : () + constant y : (t_A'0, t_B'0) - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 288 20 288 68 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int64 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 - - constant y : int64 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int64) (y : int64) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int64 + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int64) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - use prelude.prelude.Int64 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - constant x : int64 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant y : int64 + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant z : int64 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - constant o : t_Ordering'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int64) (y : int64) (z : int64) (o : t_Ordering'0) : () + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int64 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int64) (y : int64) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int64 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : int64 + axiom cmp_ge_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'2 x y = (cmp_log'1 x y <> C_Less'0) - constant y : int64 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int64) (y : int64) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int64 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 287 4 287 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ ge_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ gt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) - constant x : int64 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant y : int64 + constant x : (t_A'0, t_B'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int64) (y : int64) : () + constant y : (t_A'0, t_B'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 294 20 294 67 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int128 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int128 - constant y : int128 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int128) (y : int128) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - use prelude.prelude.Int128 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int128 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int128) (y : int128) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int128 + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int128 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int128 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int128) (y : int128) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int128 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 - - constant y : int128 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int128) (y : int128) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int128 + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int128) : () + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int128 + function gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_gt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'2 x y = (cmp_log'1 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 - - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - constant x : int128 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant y : int128 + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant z : int128 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - constant o : t_Ordering'0 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int128) (y : int128) (z : int128) (o : t_Ordering'0) : () - + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int128 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 293 4 293 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + + = + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ gt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ gt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : int128 + constant x : (t_A'0, t_B'0) - constant y : int128 + constant y : (t_A'0, t_B'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int128) (y : int128) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int128 + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int128 - constant y : int128 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int128) (y : int128) : () + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int128 + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int128 - constant y : int128 + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int128) (y : int128) : () + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom refl'1_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.IntSize + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - constant x : isize + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant y : isize + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : isize) (y : isize) : () + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.IntSize + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - constant x : isize + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - constant y : isize + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : isize) (y : isize) : () + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) + -> ([%#sord14] cmp_log'2 y x = C_Less'0) - use prelude.prelude.IntSize + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) + -> ([%#sord12] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) + -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) - constant y : isize + function refl'2 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : isize) (y : isize) : () + axiom refl'2_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.IntSize + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : isize + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant y : isize + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : isize) (y : isize) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.IntSize + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : isize + constant x : (t_A'0, t_B'0) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : isize) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : (t_A'0, t_B'0)) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi1910662420989811789__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* <(A, B) as logic::ord::OrdLogic> *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.IntSize + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - constant y : isize + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant z : isize + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - constant o : t_Ordering'0 + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : isize) (y : isize) (z : isize) (o : t_Ordering'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - use prelude.prelude.IntSize + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - constant x : isize + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - constant y : isize + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : isize) (y : isize) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use prelude.prelude.IntSize + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - constant x : isize + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - constant y : isize + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : isize) (y : isize) : () + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.IntSize + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord17] (x = y) = (cmp_log'2 x y = C_Equal'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord15] cmp_log'2 x y = C_Greater'0) + -> ([%#sord16] cmp_log'2 y x = C_Less'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Less'0) + -> ([%#sord14] cmp_log'2 y x = C_Greater'0) + + function trans'2 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + axiom trans'2_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord10] cmp_log'2 x y = o) + -> ([%#sord11] cmp_log'2 y z = o) -> ([%#sord12] cmp_log'2 x z = o) - constant y : isize + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : isize) (y : isize) : () + axiom refl'1_spec : forall x : t_B'0 . [%#sord9] cmp_log'2 x x = C_Equal'0 - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord8] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant x : bool + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - constant y : bool + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : bool) (y : bool) : () + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + [%#sord4] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o = C_Less'0 + constant x : (t_A'0, t_B'0) - constant x : bool + constant y : (t_A'0, t_B'0) - constant y : bool + constant z : (t_A'0, t_B'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : bool) (y : bool) : () + constant o : t_Ordering'0 - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) (z : (t_A'0, t_B'0)) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o <> C_Less'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - constant x : bool + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant y : bool + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : bool) (y : bool) : () + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o = C_Greater'0 - constant x : bool + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : bool + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : bool) (y : bool) : () + axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord2] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - constant x : bool + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : bool) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord4] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - constant x : bool + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - constant y : bool + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - constant z : bool + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - constant o : t_Ordering'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : bool) (y : bool) (z : bool) (o : t_Ordering'0) : () + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) + + function antisym1'2 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym1'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - constant x : bool + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : bool + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : bool) (y : bool) : () + axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant y : bool + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : bool) (y : bool) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : bool + constant x : (t_A'0, t_B'0) - constant y : bool + constant y : (t_A'0, t_B'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : bool) (y : bool) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 276 20 276 68 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 @@ -14267,114 +17444,107 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#".. | C_Equal'0 | C_Greater'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + function antisym2'2 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + axiom antisym2'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function cmp_le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_le_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'2 x y = (cmp_log'1 x y <> C_Greater'0) + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 275 4 275 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ le_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ lt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 @@ -14389,1650 +17559,2429 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#".. constant y : (t_A'0, t_B'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 282 20 282 67 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_A'0 + + type t_B'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + + + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + + axiom refl'0_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - type t_A'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - type t_B'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function eq_cmp'2 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom eq_cmp'2_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) + -> ([%#sord14] cmp_log'2 y x = C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) + -> ([%#sord12] cmp_log'2 y x = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) + -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom refl'1_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + constant x : (t_A'0, t_B'0) - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : (t_A'0, t_B'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__logic__seq__qyi345269549310492227__concat_contains [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (* logic::seq::Seq *) + let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq1 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use seq.Seq - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Int - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use seq.Seq - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq2] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + constant _1 : () - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + goal vc_concat_contains'0 : [%#sseq0] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x +end +module M_creusot_contracts__ptr_own__qyi17842610664047605351__new [#"../../../creusot-contracts/src/ptr_own.rs" 52 4 52 56] (* ptr_own::PtrOwn *) + let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 52 15 52 16 + let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 52 24 52 56 + let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 51 14 51 64 + let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 61 20 61 23 + let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 61 36 61 68 + let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 60 14 60 67 + let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 + let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + let%span sptr_own8 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 + let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed7] inv'0 self - function cmp_lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_lt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'2 x y = (cmp_log'1 x y = C_Less'0) + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Opaque - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_PtrOwn'0 - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_PtrOwn'0 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 281 4 281 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ lt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ lt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) + use prelude.prelude.Borrow - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr - constant x : (t_A'0, t_B'0) + use prelude.prelude.Int - constant y : (t_A'0, t_B'0) + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = + [%#sptr10] addr_logic'0 self = 0 + + axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr9] is_null_logic'0 self = (addr_logic'0 self = 0) + + function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + + predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = + [%#sptr_own8] not is_null_logic'0 (ptr'0 self) /\ inv'2 (val'0 self) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + + axiom inv_axiom'4 [@rewrite] : forall x : t_PtrOwn'0 [inv'5 x] . inv'5 x = invariant'2 x + + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = + [%#sboxed7] inv'5 self + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'1 x + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (opaque_ptr, t_GhostBox'0)) + + axiom inv_axiom'0 [@rewrite] : forall x : (opaque_ptr, t_GhostBox'0) [inv'1 x] . inv'1 x + = (let (x0, x1) = x in inv'3 x1) + + function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = + [%#sghost6] self.t_GhostBox__0'0 + + let rec from_box'0 (val':t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:from_box 'val' type invariant] [%#sptr_own3] inv'2 val'} + any + [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[%#sptr_own4] inv'1 result} + {[%#sptr_own5] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) + /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = val'} + (! return' {result}) ] - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec new'0 (v:t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:new 'v' type invariant] [%#sptr_own0] inv'0 v} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = s0 [ s0 = from_box'0 {v} (fun (_ret':(opaque_ptr, t_GhostBox'0)) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : (opaque_ptr, t_GhostBox'0) = any_l () | & v : t_T'0 = v ] + [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[@expl:new result type invariant] [%#sptr_own1] inv'1 result} + {[@expl:new ensures] [%#sptr_own2] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) + /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = v} + (! return' {result}) ] + end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 288 20 288 68 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__ptr_own__qyi17842610664047605351__drop [#"../../../creusot-contracts/src/ptr_own.rs" 98 4 98 57] (* ptr_own::PtrOwn *) + let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 98 32 98 35 + let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 97 15 97 31 + let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 92 34 92 37 + let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 89 15 89 31 + let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 92 63 92 69 + let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 90 14 90 35 + let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 + let%span sresolve7 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 + let%span sboxed8 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + let%span sptr_own9 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 + let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr11 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - type t_A'0 + type t_PtrOwn'0 - type t_B'0 + type t_GhostBox'0 = + { t_GhostBox__0'0: t_PtrOwn'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use prelude.prelude.Borrow - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + use prelude.prelude.Int + + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = + [%#sptr11] addr_logic'0 self = 0 - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr10] is_null_logic'0 self = (addr_logic'0 self = 0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + type t_T'0 - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed8] inv'3 self - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_T'0 [inv'0 x] . inv'0 x = invariant'0 x - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = + [%#sptr_own9] not is_null_logic'0 (ptr'0 self) /\ inv'0 (val'0 self) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'2 x - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = + [%#sboxed8] inv'4 self - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + axiom inv_axiom'2 [@rewrite] : forall x : t_PtrOwn'0 [inv'2 x] . inv'2 x = invariant'1 x - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = + [%#sghost6] self.t_GhostBox__0'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + let rec to_box'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:to_box 'own' type invariant] [%#sptr_own2] inv'1 own} + {[@expl:to_box requires] [%#sptr_own3] ptr = ptr'0 (inner_logic'0 own)} + any + [ return' (result:t_T'0)-> {[%#sptr_own4] inv'0 result} + {[%#sptr_own5] result = val'0 (inner_logic'0 own)} + (! return' {result}) ] + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = + [%#sresolve7] resolve'2 self - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) = + resolve'1 _1 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Intrinsic - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + meta "compute_max_steps" 1000000 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + let rec drop'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:()))= {[@expl:drop 'own' type invariant] [%#sptr_own0] inv'1 own} + {[@expl:drop requires] [%#sptr_own1] ptr = ptr'0 (inner_logic'0 own)} + (! bb0 + [ bb0 = s0 [ s0 = to_box'0 {ptr} {own} (fun (_ret':t_T'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = {[@expl:type invariant] inv'0 _4} s1 | s1 = -{resolve'0 _4}- s2 | s2 = bb2 ] + | bb2 = bb3 + | bb3 = return' {_0} ] + ) [ & _0 : () = any_l () | & ptr : opaque_ptr = ptr | & own : t_GhostBox'0 = own | & _4 : t_T'0 = any_l () ] + [ return' (result:())-> (! return' {result}) ] + +end +module M_creusot_contracts__resolve__qyi4855891653524509355__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (* <(T1, T2) as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 45 15 45 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 46 14 46 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 43 4 43 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 40 8 40 44 - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Borrow - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_T1'0 - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_T2'0 - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T2'0) - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T1'0) - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : (t_T1'0, t_T2'0)) = + match _1 with + | (x0, x1) -> resolve'1 x1 /\ resolve'2 x0 + end - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 39 4 39 28] (self : (t_T1'0, t_T2'0)) = + [%#sresolve3] resolve'2 (let (a, _) = self in a) /\ resolve'1 (let (_, a) = self in a) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + constant self : (t_T1'0, t_T2'0) - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (self : (t_T1'0, t_T2'0)) : () - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi6740873903368268328__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (* <&mut T as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 59 15 59 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 60 14 60 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 57 4 57 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - function ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Borrow - function cmp_ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom cmp_ge_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'2 x y = (cmp_log'1 x y <> C_Less'0) + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : borrowed t_T'0) = + _1.final = _1.current - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + constant self : borrowed t_T'0 - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (self : borrowed t_T'0) : () - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi10830812895881240411__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (* as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 73 15 73 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 74 14 74 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 71 4 71 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Borrow - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + type t_T'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 287 4 287 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ ge_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ gt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_T'0) = + resolve'1 _1 - constant x : (t_A'0, t_B'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = + [%#sresolve3] resolve'1 self - constant y : (t_A'0, t_B'0) + constant self : t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (self : t_T'0) : () - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 294 20 294 67 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__resolve__qyi12875730110607858017__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (* as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 90 15 90 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 91 14 91 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 88 4 88 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - type t_A'0 + use prelude.prelude.Borrow - type t_B'0 + type t_T'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_Option'0) = + match _1 with + | C_None'0 -> true + | C_Some'0 x0 -> resolve'1 x0 + end - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = + [%#sresolve3] match self with + | C_Some'0 x -> resolve'1 x + | C_None'0 -> true + end - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + constant self : t_Option'0 - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (self : t_Option'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__snapshot__qyi5567339964777190687__clone [#"../../../creusot-contracts/src/snapshot.rs" 59 4 59 27] (* as std::clone::Clone> *) + let%span ssnapshot0 = "../../../creusot-contracts/src/snapshot.rs" 58 14 58 29 - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + type t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + use prelude.prelude.Snapshot - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + use prelude.prelude.Intrinsic - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + use prelude.prelude.Borrow - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + meta "compute_max_steps" 1000000 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + let rec clone'0 (self:Snapshot.snap_ty t_T'0) (return' (ret:Snapshot.snap_ty t_T'0))= (! bb0 + [ bb0 = s0 [ s0 = [ &_0 <- self ] s1 | s1 = return' {_0} ] ] + ) [ & _0 : Snapshot.snap_ty t_T'0 = any_l () | & self : Snapshot.snap_ty t_T'0 = self ] + [ return' (result:Snapshot.snap_ty t_T'0)-> {[@expl:clone ensures] [%#ssnapshot0] result = self} + (! return' {result}) ] + +end +module M_creusot_contracts__util__unwrap [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] + let%span sutil0 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil1 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 + let%span sutil2 = "../../../creusot-contracts/src/util.rs" 45 11 45 16 + let%span sutil3 = "../../../creusot-contracts/src/util.rs" 46 10 46 15 + let%span sutil4 = "../../../creusot-contracts/src/util.rs" 47 10 47 11 + let%span sutil5 = "../../../creusot-contracts/src/util.rs" 58 4 61 5 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_T'0 - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function unreachable'0 [#"../../../creusot-contracts/src/util.rs" 48 0 48 28] (_1 : ()) : t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + axiom unreachable'0_spec : forall _1 : () . ([%#sutil2] false) -> ([%#sutil3] false) - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + constant op : t_Option'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'0) : t_T'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + goal vc_unwrap'0 : ([%#sutil0] op <> C_None'0) + -> match op with + | C_Some'0 t -> [%#sutil1] C_Some'0 t = op + | C_None'0 -> ([@expl:unreachable requires] [%#sutil2] false) + /\ (([%#sutil3] false) -> ([%#sutil1] C_Some'0 (unreachable'0 ()) = op)) + end +end +module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_refl__refines [#"../../../creusot-contracts/src/std/array.rs" 73 4 73 26] (* as std::iter::Iterator> *) + let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 73 4 73 26 + let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + use prelude.prelude.Slice - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_T'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_T'0 } - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + type t_MaybeUninit'0 = + { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_IndexRange'0 = + { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_IntoIter'0 = + { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use seq.Seq - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - - function gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - - function cmp_gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - - axiom cmp_gt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'2 x y = (cmp_log'1 x y = C_Greater'0) + goal refines : [%#sarray0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_trans__refines [#"../../../creusot-contracts/src/std/array.rs" 80 4 80 90] (* as std::iter::Iterator> *) + let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 80 4 80 90 + let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Slice - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_T'0 } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_MaybeUninit'0 = + { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UIntSize - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + type t_IndexRange'0 = + { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_IntoIter'0 = + { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 293 4 293 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ gt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ gt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - - - constant x : (t_A'0, t_B'0) - - constant y : (t_A'0, t_B'0) - - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) + goal refines : [%#sarray0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_A'0 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 79 4 79 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 79 4 79 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_B'0 + use prelude.prelude.UInt16 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Opaque - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UIntSize - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom refl'1_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + type t_K'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + type t_V'0 - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + type t_FMap'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_IntoIter'0) : t_FMap'0 + - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Int - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_DeepModelTy'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + use map.Map - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) - -> ([%#sord14] cmp_log'2 y x = C_Less'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap6] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) - -> ([%#sord12] cmp_log'2 y x = C_Greater'0) + use map.Map - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap5] Map.get (view'1 self) k - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) - -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function refl'2 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + goal refines : [%#shash_map0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 86 4 86 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 86 4 86 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom refl'2_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 + use prelude.prelude.UInt16 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use prelude.prelude.Opaque - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.UIntSize - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + type t_K'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + type t_V'0 - constant x : (t_A'0, t_B'0) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : (t_A'0, t_B'0)) : () + type t_FMap'0 - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_IntoIter'0) : t_FMap'0 + - type t_A'0 + use prelude.prelude.Int - type t_B'0 + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_DeepModelTy'0 - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap6] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use map.Map - axiom refl'0_spec : forall x : t_A'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap5] Map.get (view'1 self) k - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + goal refines : [%#shash_map0] forall a : t_IntoIter'0 . forall ab : Seq.seq (t_K'0, t_V'0) . forall b : t_IntoIter'0 . forall bc : Seq.seq (t_K'0, t_V'0) . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 138 4 138 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 138 4 138 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UInt16 - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Opaque - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use prelude.prelude.UIntSize - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord17] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord15] cmp_log'2 x y = C_Greater'0) - -> ([%#sord16] cmp_log'2 y x = C_Less'0) + type t_K'0 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + type t_V'0 - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Less'0) - -> ([%#sord14] cmp_log'2 y x = C_Greater'0) + use seq.Seq - function trans'2 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + type t_FMap'0 + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 97 4 97 33] (self : t_Iter'0) : t_FMap'0 - axiom trans'2_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord10] cmp_log'2 x y = o) - -> ([%#sord11] cmp_log'2 y z = o) -> ([%#sord12] cmp_log'2 x z = o) + use prelude.prelude.Int - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom refl'1_spec : forall x : t_B'0 . [%#sord9] cmp_log'2 x x = C_Equal'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord8] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_DeepModelTy'0 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use map.Map - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 = - [%#sord4] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r + [%#sfmap6] Map.get (view'1 self) k + + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - constant x : (t_A'0, t_B'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 105 4 105 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - constant y : (t_A'0, t_B'0) + use seq.Seq - constant z : (t_A'0, t_B'0) + goal refines : [%#shash_map0] forall a : t_Iter'0 . forall ab : Seq.seq (t_K'0, t_V'0) . forall b : t_Iter'0 . forall bc : Seq.seq (t_K'0, t_V'0) . forall c : t_Iter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 131 4 131 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 131 4 131 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - constant o : t_Ordering'0 + use prelude.prelude.UInt16 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) (z : (t_A'0, t_B'0)) (o : t_Ordering'0) : () - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - type t_A'0 + use prelude.prelude.Opaque - type t_B'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UIntSize - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Borrow - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + type t_K'0 + + type t_V'0 + + use seq.Seq + + type t_FMap'0 + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 97 4 97 33] (self : t_Iter'0) : t_FMap'0 - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Int - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + type t_DeepModelTy'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use map.Map - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap6] Map.get (view'1 self) k - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 105 4 105 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + goal refines : [%#shash_map0] forall self : t_Iter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 190 4 190 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 190 4 190 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + use prelude.prelude.UInt16 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function antisym1'2 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Opaque - axiom antisym1'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + use prelude.prelude.UIntSize - axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use prelude.prelude.Borrow - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_K'0 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + type t_V'0 - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + use seq.Seq - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_FMap'0 - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 149 4 149 33] (self : t_IterMut'0) : t_FMap'0 + - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use prelude.prelude.Int - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - constant x : (t_A'0, t_B'0) + type t_DeepModelTy'0 - constant y : (t_A'0, t_B'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_V'0) - type t_A'0 + use map.Map - type t_B'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap6] Map.get (view'1 self) k - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'0 self - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 157 4 157 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'1 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'1 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'1 (let (a, _) = Seq.get visited i1 in a) = deep_model'1 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + goal refines : [%#shash_map0] forall a : t_IterMut'0 . forall ab : Seq.seq (t_K'0, borrowed t_V'0) . forall b : t_IterMut'0 . forall bc : Seq.seq (t_K'0, borrowed t_V'0) . forall c : t_IterMut'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 183 4 183 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 183 4 183 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.UInt16 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use prelude.prelude.Opaque - axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.UIntSize - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Borrow - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_K'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_V'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_FMap'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 149 4 149 33] (self : t_IterMut'0) : t_FMap'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + use prelude.prelude.Int - function antisym2'2 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom antisym2'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + use seq.Seq - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + type t_DeepModelTy'0 - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_V'0) - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + use map.Map - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use map.Map - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap6] Map.get (view'1 self) k - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'0 self + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 157 4 157 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'1 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'1 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'1 (let (a, _) = Seq.get visited i1 in a) = deep_model'1 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + goal refines : [%#shash_map0] forall self : t_IterMut'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 102 4 102 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 102 4 102 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use prelude.prelude.UInt16 - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use prelude.prelude.Opaque - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - constant x : (t_A'0, t_B'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - constant y : (t_A'0, t_B'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + use prelude.prelude.UIntSize - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_A'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_B'0 + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + type t_DeepModelTy'0 + + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use set.Fset + + use seq.Seq + + use prelude.prelude.Int - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use set.Fset - axiom refl'0_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) + + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 89 4 89 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#shash_set1] set_produces'0 self visited o - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + goal refines : [%#shash_set0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 109 4 109 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 109 4 109 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.UInt16 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Opaque - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function eq_cmp'2 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.UIntSize - axiom eq_cmp'2_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) - -> ([%#sord14] cmp_log'2 y x = C_Less'0) + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) - -> ([%#sord12] cmp_log'2 y x = C_Greater'0) + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) - -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom refl'1_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 + type t_T'0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_DeepModelTy'0 - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use set.Fset - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 + - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use set.Fset - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + use seq.Seq - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.Int - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + use set.Fset - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) = - [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 89 4 89 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#shash_set1] set_produces'0 self visited o - constant x : (t_A'0, t_B'0) + use seq.Seq - constant y : (t_A'0, t_B'0) + goal refines : [%#shash_set0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 148 4 148 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 148 4 148 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + use prelude.prelude.UInt16 - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__ptr_own__qyi17842610664047605351__new [#"../../../creusot-contracts/src/ptr_own.rs" 52 4 52 56] (* ptr_own::PtrOwn *) - let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 52 15 52 16 - let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 52 24 52 56 - let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 51 14 51 64 - let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 61 20 61 23 - let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 61 36 61 68 - let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 60 14 60 67 - let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 - let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sptr_own8 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 - let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_T'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Opaque - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed7] inv'0 self + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - use prelude.prelude.Opaque + use prelude.prelude.UIntSize - type t_PtrOwn'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_GhostBox'0 = - { t_GhostBox__0'0: t_PtrOwn'0 } + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - use prelude.prelude.Borrow + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - use prelude.prelude.Int + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + use prelude.prelude.Borrow - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = - [%#sptr10] addr_logic'0 self = 0 + type t_T'0 - axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr9] is_null_logic'0 self = (addr_logic'0 self = 0) + use seq.Seq - function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + type t_DeepModelTy'0 - predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = - [%#sptr_own8] not is_null_logic'0 (ptr'0 self) /\ inv'2 (val'0 self) + use set.Fset - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 120 4 120 33] (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 + - axiom inv_axiom'4 [@rewrite] : forall x : t_PtrOwn'0 [inv'5 x] . inv'5 x = invariant'2 x + use set.Fset - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = - [%#sboxed7] inv'5 self + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + use prelude.prelude.Int - axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'1 x + use set.Fset - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (opaque_ptr, t_GhostBox'0)) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - axiom inv_axiom'0 [@rewrite] : forall x : (opaque_ptr, t_GhostBox'0) [inv'1 x] . inv'1 x - = (let (x0, x1) = x in inv'3 x1) + use seq.Seq - function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = - [%#sghost6] self.t_GhostBox__0'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - let rec from_box'0 (val':t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:from_box 'val' type invariant] [%#sptr_own3] inv'2 val'} - any - [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[%#sptr_own4] inv'1 result} - {[%#sptr_own5] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) - /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = val'} - (! return' {result}) ] + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - use prelude.prelude.Intrinsic + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 128 4 128 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#shash_set1] set_produces'0 self visited o - meta "compute_max_steps" 1000000 + use seq.Seq - let rec new'0 (v:t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:new 'v' type invariant] [%#sptr_own0] inv'0 v} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = s0 [ s0 = from_box'0 {v} (fun (_ret':(opaque_ptr, t_GhostBox'0)) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] - | bb3 = bb4 - | bb4 = return' {_0} ] - ) [ & _0 : (opaque_ptr, t_GhostBox'0) = any_l () | & v : t_T'0 = v ] - [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[@expl:new result type invariant] [%#sptr_own1] inv'1 result} - {[@expl:new ensures] [%#sptr_own2] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) - /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = v} - (! return' {result}) ] - + goal refines : [%#shash_set0] forall a : t_Iter'0 . forall ab : Seq.seq t_T'0 . forall b : t_Iter'0 . forall bc : Seq.seq t_T'0 . forall c : t_Iter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__ptr_own__qyi17842610664047605351__drop [#"../../../creusot-contracts/src/ptr_own.rs" 98 4 98 57] (* ptr_own::PtrOwn *) - let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 98 32 98 35 - let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 97 15 97 31 - let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 92 34 92 37 - let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 89 15 89 31 - let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 92 63 92 69 - let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 90 14 90 35 - let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 - let%span sresolve7 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 - let%span sboxed8 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sptr_own9 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 - let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr11 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 141 4 141 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 141 4 141 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_PtrOwn'0 + use prelude.prelude.UInt16 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_PtrOwn'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - use prelude.prelude.Borrow + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } use prelude.prelude.Opaque - function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - use prelude.prelude.Int + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = - [%#sptr11] addr_logic'0 self = 0 + use prelude.prelude.UIntSize - axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr10] is_null_logic'0 self = (addr_logic'0 self = 0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_T'0 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed8] inv'3 self + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_T'0 [inv'0 x] . inv'0 x = invariant'0 x + use prelude.prelude.Borrow - predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = - [%#sptr_own9] not is_null_logic'0 (ptr'0 self) /\ inv'0 (val'0 self) + type t_T'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + use seq.Seq - axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'2 x + type t_DeepModelTy'0 - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = - [%#sboxed8] inv'4 self + use set.Fset - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 120 4 120 33] (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 + - axiom inv_axiom'2 [@rewrite] : forall x : t_PtrOwn'0 [inv'2 x] . inv'2 x = invariant'1 x + use set.Fset - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + use prelude.prelude.Int - function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = - [%#sghost6] self.t_GhostBox__0'0 + use set.Fset - let rec to_box'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:to_box 'own' type invariant] [%#sptr_own2] inv'1 own} - {[@expl:to_box requires] [%#sptr_own3] ptr = ptr'0 (inner_logic'0 own)} - any - [ return' (result:t_T'0)-> {[%#sptr_own4] inv'0 result} - {[%#sptr_own5] result = val'0 (inner_logic'0 own)} - (! return' {result}) ] + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset3] Fset.mem e self - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = - [%#sresolve7] resolve'2 self + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) = - resolve'1 _1 + use seq.Seq - use prelude.prelude.Intrinsic + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - meta "compute_max_steps" 1000000 + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) + + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - let rec drop'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:()))= {[@expl:drop 'own' type invariant] [%#sptr_own0] inv'1 own} - {[@expl:drop requires] [%#sptr_own1] ptr = ptr'0 (inner_logic'0 own)} - (! bb0 - [ bb0 = s0 [ s0 = to_box'0 {ptr} {own} (fun (_ret':t_T'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = {[@expl:type invariant] inv'0 _4} s1 | s1 = -{resolve'0 _4}- s2 | s2 = bb2 ] - | bb2 = bb3 - | bb3 = return' {_0} ] - ) [ & _0 : () = any_l () | & ptr : opaque_ptr = ptr | & own : t_GhostBox'0 = own | & _4 : t_T'0 = any_l () ] - [ return' (result:())-> (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 128 4 128 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set1] set_produces'0 self visited o + + goal refines : [%#shash_set0] forall self : t_Iter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__resolve__qyi4855891653524509355__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (* <(T1, T2) as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 45 15 45 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 46 14 46 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 43 4 43 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 40 8 40 44 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - use prelude.prelude.Borrow + use prelude.prelude.UInt16 - type t_T1'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_T2'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T2'0) + use prelude.prelude.Opaque - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T1'0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : (t_T1'0, t_T2'0)) = - match _1 with - | (x0, x1) -> resolve'1 x1 /\ resolve'2 x0 - end + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 39 4 39 28] (self : (t_T1'0, t_T2'0)) = - [%#sresolve3] resolve'2 (let (a, _) = self in a) /\ resolve'1 (let (_, a) = self in a) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - constant self : (t_T1'0, t_T2'0) + use prelude.prelude.UIntSize - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (self : (t_T1'0, t_T2'0)) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi6740873903368268328__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (* <&mut T as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 59 15 59 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 60 14 60 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 57 4 57 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } use prelude.prelude.Borrow - type t_T'0 + type t_S'0 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : borrowed t_T'0) = - _1.final = _1.current + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - constant self : borrowed t_T'0 + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (self : borrowed t_T'0) : () + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi10830812895881240411__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (* as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 73 15 73 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 74 14 74 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 71 4 71 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - use prelude.prelude.Borrow + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + use seq.Seq type t_T'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + use seq.Seq - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_T'0) = - resolve'1 _1 + type t_DeepModelTy'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = - [%#sresolve3] resolve'1 self + use set.Fset - constant self : t_T'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 195 4 195 33] (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 + - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (self : t_T'0) : () + use set.Fset - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi12875730110607858017__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (* as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 90 15 90 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 91 14 91 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 88 4 88 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 + use seq.Seq - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_T'0 + use set.Fset - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_Option'0) = - match _1 with - | C_None'0 -> true - | C_Some'0 x0 -> resolve'1 x0 - end + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = - [%#sresolve3] match self with - | C_Some'0 x -> resolve'1 x - | C_None'0 -> true - end + use seq.Seq - constant self : t_Option'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (self : t_Option'0) : () + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) + + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 203 4 203 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) + + = + [%#shash_set1] set_produces'0 self visited o + + goal refines : [%#shash_set0] forall self : t_Intersection'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__snapshot__qyi5567339964777190687__clone [#"../../../creusot-contracts/src/snapshot.rs" 59 4 59 27] (* as std::clone::Clone> *) - let%span ssnapshot0 = "../../../creusot-contracts/src/snapshot.rs" 58 14 58 29 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 223 4 223 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 223 4 223 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_T'0 + use prelude.prelude.UInt16 - use prelude.prelude.Snapshot + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - use prelude.prelude.Intrinsic + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - use prelude.prelude.Borrow + use prelude.prelude.Opaque - meta "compute_max_steps" 1000000 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - let rec clone'0 (self:Snapshot.snap_ty t_T'0) (return' (ret:Snapshot.snap_ty t_T'0))= (! bb0 - [ bb0 = s0 [ s0 = [ &_0 <- self ] s1 | s1 = return' {_0} ] ] - ) [ & _0 : Snapshot.snap_ty t_T'0 = any_l () | & self : Snapshot.snap_ty t_T'0 = self ] - [ return' (result:Snapshot.snap_ty t_T'0)-> {[@expl:clone ensures] [%#ssnapshot0] result = self} - (! return' {result}) ] - -end -module M_creusot_contracts__util__unwrap [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] - let%span sutil0 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 - let%span sutil1 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 - let%span sutil2 = "../../../creusot-contracts/src/util.rs" 45 11 45 16 - let%span sutil3 = "../../../creusot-contracts/src/util.rs" 46 10 46 15 - let%span sutil4 = "../../../creusot-contracts/src/util.rs" 47 10 47 11 - let%span sutil5 = "../../../creusot-contracts/src/util.rs" 58 4 61 5 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - type t_T'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.UIntSize - function unreachable'0 [#"../../../creusot-contracts/src/util.rs" 48 0 48 28] (_1 : ()) : t_T'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom unreachable'0_spec : forall _1 : () . ([%#sutil2] false) -> ([%#sutil3] false) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - constant op : t_Option'0 + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'0) : t_T'0 + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - goal vc_unwrap'0 : ([%#sutil0] op <> C_None'0) - -> match op with - | C_Some'0 t -> [%#sutil1] C_Some'0 t = op - | C_None'0 -> ([@expl:unreachable requires] [%#sutil2] false) - /\ (([%#sutil3] false) -> ([%#sutil1] C_Some'0 (unreachable'0 ()) = op)) - end -end -module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_refl__refines [#"../../../creusot-contracts/src/std/array.rs" 73 4 73 26] (* as std::iter::Iterator> *) - let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 73 4 73 26 - let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - use prelude.prelude.Slice + use prelude.prelude.Borrow - type t_T'0 + type t_S'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_T'0 } + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_MaybeUninit'0 = - { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - use prelude.prelude.UIntSize + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - type t_IndexRange'0 = - { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - type t_IntoIter'0 = - { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - use seq.Seq + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - use seq.Seq + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + type t_T'0 use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) + type t_DeepModelTy'0 - goal refines : [%#sarray0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self - -> produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_trans__refines [#"../../../creusot-contracts/src/std/array.rs" 80 4 80 90] (* as std::iter::Iterator> *) - let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 80 4 80 90 - let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 + use set.Fset - use prelude.prelude.Slice + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 195 4 195 33] (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 + - type t_T'0 + use set.Fset - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_T'0 } + use seq.Seq - type t_MaybeUninit'0 = - { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } + use prelude.prelude.Int - use prelude.prelude.UIntSize + use set.Fset - type t_IndexRange'0 = - { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - type t_IntoIter'0 = - { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - use seq.Seq + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) + + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 203 4 203 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = - [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) + [%#shash_set1] set_produces'0 self visited o - goal refines : [%#sarray0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + use seq.Seq + + goal refines : [%#shash_set0] forall a : t_Intersection'0 . forall ab : Seq.seq t_T'0 . forall b : t_Intersection'0 . forall bc : Seq.seq t_T'0 . forall c : t_Intersection'0 . produces'0 b bc c /\ produces'0 a ab b -> produces'0 b bc c /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) @@ -25674,7 +29623,7 @@ module M_creusot_contracts__stdqy35z1__vec__qyi6844585276173866460__resolve_cohe let%span sindex3 = "../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span svec5 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -25738,7 +29687,7 @@ module M_creusot_contracts__stdqy35z1__vec__qyi6844585276173866460__resolve_cohe axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'3 x - predicate invariant'2 [#"../../../creusot-contracts/src/logic/seq.rs" 622 4 622 30] (self : Seq.seq t_T'0) = + predicate invariant'2 [#"../../../creusot-contracts/src/logic/seq.rs" 632 4 632 30] (self : Seq.seq t_T'0) = [%#sseq6] forall i : int . 0 <= i /\ i < Seq.length self -> inv'3 (Seq.get self i) predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Seq.seq t_T'0) @@ -26718,10 +30667,10 @@ module M_creusot_contracts__logic__fmap__qyi4648834920430559677__clone__refines goal refines : [%#sfmap0] forall self : t_FMap'0 . inv'0 self -> inv'0 self /\ (forall result : t_FMap'0 . result = self /\ inv'1 result -> result = self /\ inv'1 result) end -module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines [#"../../../creusot-contracts/src/logic/fset.rs" 312 4 312 27] (* as std::clone::Clone> *) - let%span sfset0 = "../../../creusot-contracts/src/logic/fset.rs" 312 4 312 27 +module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines [#"../../../creusot-contracts/src/logic/fset.rs" 323 4 323 27] (* as std::clone::Clone> *) + let%span sfset0 = "../../../creusot-contracts/src/logic/fset.rs" 323 4 323 27 let%span sinvariant1 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 326 20 326 63 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 337 20 337 63 let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 use prelude.prelude.Borrow @@ -26739,7 +30688,7 @@ module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - predicate invariant'1 [#"../../../creusot-contracts/src/logic/fset.rs" 325 4 325 30] (self : Fset.fset t_T'0) = + predicate invariant'1 [#"../../../creusot-contracts/src/logic/fset.rs" 336 4 336 30] (self : Fset.fset t_T'0) = [%#sfset2] forall x : t_T'0 . contains'0 self x -> inv'2 x predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Fset.fset t_T'0) @@ -26774,10 +30723,10 @@ module M_creusot_contracts__logic__int__qyi3540547019284611154__clone__refines [ goal refines : [%#sint0] forall self : int . inv'0 self -> (forall result : int . result = self -> result = self /\ inv'1 result) end -module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [#"../../../creusot-contracts/src/logic/seq.rs" 610 4 610 27] (* as std::clone::Clone> *) - let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 610 4 610 27 +module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [#"../../../creusot-contracts/src/logic/seq.rs" 620 4 620 27] (* as std::clone::Clone> *) + let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 620 4 620 27 let%span sinvariant1 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -26801,7 +30750,7 @@ module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [ axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'2 x - predicate invariant'1 [#"../../../creusot-contracts/src/logic/seq.rs" 622 4 622 30] (self : Seq.seq t_T'0) = + predicate invariant'1 [#"../../../creusot-contracts/src/logic/seq.rs" 632 4 632 30] (self : Seq.seq t_T'0) = [%#sseq2] forall i : int . 0 <= i /\ i < Seq.length self -> inv'2 (Seq.get self i) predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Seq.seq t_T'0) diff --git a/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml b/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml index fe7b06734e..7303c86f62 100644 --- a/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml +++ b/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml @@ -36,6 +36,285 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2415,7 +2694,7 @@ - + @@ -2893,26 +3172,6 @@ - - - - - - - - - - - - - - - - - - - - @@ -2933,16 +3192,6 @@ - - - - - - - - - - diff --git a/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz b/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz index 8d3a27c764..928b3d061b 100644 Binary files a/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz and b/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz differ diff --git a/creusot/tests/should_fail/bug/603.stderr b/creusot/tests/should_fail/bug/603.stderr index 89282f0f5c..c3b84c8db4 100644 --- a/creusot/tests/should_fail/bug/603.stderr +++ b/creusot/tests/should_fail/bug/603.stderr @@ -13,7 +13,7 @@ error[E0277]: the trait bound `VecMap: creusot_contracts::Default` is not (A, B, C, D) (A, B, C, D, E) (A, B, C, D, E, F) - and 22 others + and 23 others error: error above diff --git a/creusot/tests/should_fail/bug/878.coma b/creusot/tests/should_fail/bug/878.coma index eba9339550..b29878e50e 100644 --- a/creusot/tests/should_fail/bug/878.coma +++ b/creusot/tests/should_fail/bug/878.coma @@ -112,7 +112,7 @@ module M_878__test2 [#"878.rs" 19 0 19 14] let%span sboxed7 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 let%span svec8 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sslice9 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq10 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq10 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span s87811 = "878.rs" 15 8 15 22 use prelude.prelude.UInt32 @@ -254,7 +254,7 @@ module M_878__test3 [#"878.rs" 25 0 25 14] let%span sboxed7 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 let%span svec8 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sslice9 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq10 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq10 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span s87811 = "878.rs" 15 8 15 22 use prelude.prelude.UInt32 diff --git a/creusot/tests/should_fail/bug/specialize.coma b/creusot/tests/should_fail/bug/specialize.coma index d6c798deba..b6a48e240b 100644 --- a/creusot/tests/should_fail/bug/specialize.coma +++ b/creusot/tests/should_fail/bug/specialize.coma @@ -43,7 +43,7 @@ module M_specialize__g [#"specialize.rs" 27 0 27 18] let%span sspecialize2 = "specialize.rs" 6 9 6 13 let%span svec3 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span svec4 = "../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 - let%span sseq5 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq5 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed6 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Opaque @@ -169,7 +169,7 @@ module M_specialize__qyi2463200954251793265__x__refines [#"specialize.rs" 12 4 1 let%span sspecialize0 = "specialize.rs" 12 4 12 22 let%span svec1 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span svec2 = "../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 - let%span sseq3 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq3 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed4 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Opaque diff --git a/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr b/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr index 7c2f27fcf3..351eeaf140 100644 --- a/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr +++ b/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr @@ -40,7 +40,7 @@ error[E0277]: Cannot take the model of `S` [T] creusot_contracts::GhostBox creusot_contracts::Snapshot - and 32 others + and 40 others error[E0277]: Cannot take the model of `S` --> view_unimplemented.rs:14:25 @@ -58,7 +58,7 @@ error[E0277]: Cannot take the model of `S` [T] creusot_contracts::GhostBox creusot_contracts::Snapshot - and 32 others + and 40 others error: aborting due to 3 previous errors diff --git a/creusot/tests/should_succeed/bug/final_borrows.coma b/creusot/tests/should_succeed/bug/final_borrows.coma index 2bb331f3ef..f244325915 100644 --- a/creusot/tests/should_succeed/bug/final_borrows.coma +++ b/creusot/tests/should_succeed/bug/final_borrows.coma @@ -1943,7 +1943,7 @@ module M_final_borrows__index_mut_slice [#"final_borrows.rs" 208 0 208 48] let%span sslice10 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sinvariant11 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice12 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed14 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize @@ -2104,7 +2104,7 @@ module M_final_borrows__index_mut_array [#"final_borrows.rs" 214 0 214 52] let%span sresolve8 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant9 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sarray10 = "../../../../creusot-contracts/src/std/array.rs" 14 20 14 30 - let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed12 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize diff --git a/creusot/tests/should_succeed/cc/collections.coma b/creusot/tests/should_succeed/cc/collections.coma new file mode 100644 index 0000000000..f8345c7cc2 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections.coma @@ -0,0 +1,1925 @@ +module M_collections__roundtrip_hashmap_into_iter [#"collections.rs" 15 0 17 18] + let%span scollections0 = "collections.rs" 19 14 19 30 + let%span scollections1 = "collections.rs" 22 8 25 80 + let%span scollections2 = "collections.rs" 27 20 27 79 + let%span scollections3 = "collections.rs" 14 10 14 24 + let%span siter4 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter5 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map6 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 73 20 73 54 + let%span shash_map7 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap8 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq9 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap10 = "../../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span shash_map11 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 199 20 199 24 + let%span shash_map12 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 205 20 205 33 + let%span shash_map13 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 245 20 247 86 + let%span shash_map14 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 78 14 78 45 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 76 4 76 10 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 83 15 83 32 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 84 15 84 32 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 85 14 85 42 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 87 8 87 104 + let%span sresolve20 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel21 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap22 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap23 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap24 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap25 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'1 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'1 } + + predicate inv'0 (_1 : t_HashMap'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashMap'0 [inv'0 x] . inv'0 x = true + + predicate into_iter_pre'0 (self : t_HashMap'0) = + [%#shash_map11] true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_FMap'0 + + function view'0 (self : t_HashMap'0) : t_FMap'0 + + function view'2 (self : t_IntoIter'0) : t_FMap'0 + + predicate into_iter_post'0 (self : t_HashMap'0) (res : t_IntoIter'0) = + [%#shash_map12] view'0 self = view'2 res + + let rec into_iter'0 (self:t_HashMap'0) (return' (ret:t_IntoIter'0))= {[@expl:into_iter 'self' type invariant] inv'0 self} + {[@expl:into_iter requires] [%#siter4] into_iter_pre'0 self} + any [ return' (result:t_IntoIter'0)-> {[%#siter4] into_iter_post'0 self result} (! return' {result}) ] + + use prelude.prelude.Snapshot + + predicate inv'1 (_1 : t_IntoIter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IntoIter'0 [inv'1 x] . inv'1 x = true + + use prelude.prelude.Borrow + + type t_K'0 + + type t_V'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_IntoIter'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap23] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_DeepModelTy'0 + + function deep_model'0 (self : t_K'0) : t_DeepModelTy'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 + + use map.Map + + function view'3 (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + + axiom view'3_spec : forall self : t_FMap'0 . [%#sfmap30] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'3 m1 <> view'3 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 = + [%#sfmap24] Map.get (view'3 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 = + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) = + [%#shash_map7] len'0 (view'2 self) = Seq.length visited + len'0 (view'2 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'2 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'2 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'2 o) k = C_Some'0 v + -> get'0 (view'2 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'2 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'2 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + function produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_IntoIter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_IntoIter'0) : () + + = + [%#shash_map19] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq (t_K'0, t_V'0), b : t_IntoIter'0, bc : Seq.seq (t_K'0, t_V'0), c : t_IntoIter'0 . ([%#shash_map16] produces'0 a ab b) + -> ([%#shash_map17] produces'0 b bc c) -> ([%#shash_map18] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IntoIter'0) : () = + [%#shash_map15] () + + axiom produces_refl'0_spec : forall self : t_IntoIter'0 . [%#shash_map14] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + + predicate resolve'1 (self : borrowed (t_IntoIter'0)) = + [%#sresolve20] self.final = self.current + + function view'1 (self : borrowed (t_IntoIter'0)) : t_FMap'0 = + [%#smodel21] view'2 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'0 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap25] len'0 (empty'0 _1) = 0) + && ([%#sfmap26] view'3 (empty'0 _1) = Const.const (C_None'1)) + + function ext_eq'0 (self : t_FMap'0) (other : t_FMap'0) : bool = + [%#sfmap29] view'3 self = view'3 other + + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap27] ext_eq'0 self other -> self = other) + && ([%#sfmap28] (forall k : t_DeepModelTy'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'0) : bool = + [%#sfmap22] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_IntoIter'0)) = + [%#shash_map6] resolve'1 self /\ is_empty'0 (view'1 self) + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, t_V'0)) (res : t_HashMap'0) = + [%#shash_map13] forall k : t_DeepModelTy'0, v : t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int, k1 : t_K'0 . 0 <= i + /\ i < Seq.length prod + /\ deep_model'0 k1 = k + /\ Seq.get prod i = (k1, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> deep_model'0 (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_IntoIter'0) (return' (ret:t_HashMap'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'0)-> {inv'0 result} + {[%#siter5] exists done' : borrowed (t_IntoIter'0), prod : Seq.seq (t_K'0, t_V'0) . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Snapshot + + function contains'1 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : bool = + [%#sfmap10] get_unsized'0 self k <> C_None'1 + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_into_iter'0 (xs:t_HashMap'0) (return' (ret:t_HashMap'0))= (! bb0 + [ bb0 = bb1 + | bb1 = s0 [ s0 = into_iter'0 {xs} (fun (_ret':t_IntoIter'0) -> [ &it <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = [ &it0 <- [%#scollections0] Snapshot.new it ] s1 | s1 = bb3 ] + | bb3 = s0 [ s0 = collect'0 {it} (fun (_ret':t_HashMap'0) -> [ &r <- _ret' ] s1) | s1 = bb4 ] + | bb4 = s0 + [ s0 = {[@expl:assertion] [%#scollections1] exists prod : Seq.seq (t_K'0, t_V'0), it1 : borrowed (t_IntoIter'0) . completed'0 it1 + /\ produces'0 (Snapshot.inner it0) prod it1.current + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 prod (k1, v)))} + s1 + | s1 = bb5 ] + + | bb5 = s0 + [ s0 = {[@expl:assertion] [%#scollections2] forall k : t_DeepModelTy'0 . contains'1 (view'0 r) k + = contains'1 (view'0 xs) k} + s1 + | s1 = bb6 ] + + | bb6 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb7 ] + | bb7 = bb8 + | bb8 = bb9 + | bb9 = return' {_0} ] + ) + [ & _0 : t_HashMap'0 = any_l () + | & xs : t_HashMap'0 = xs + | & it : t_IntoIter'0 = any_l () + | & it0 : Snapshot.snap_ty (t_IntoIter'0) = any_l () + | & r : t_HashMap'0 = any_l () ] + + [ return' (result:t_HashMap'0)-> {[@expl:roundtrip_hashmap_into_iter ensures] [%#scollections3] view'0 result + = view'0 xs} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashmap_iter [#"collections.rs" 32 0 32 97] + let%span scollections0 = "collections.rs" 34 14 34 30 + let%span scollections1 = "collections.rs" 38 4 41 77 + let%span scollections2 = "collections.rs" 31 10 31 98 + let%span shash_map3 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 23 0 37 1 + let%span siter4 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map5 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 125 20 125 54 + let%span shash_map6 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap7 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel8 = "../../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq9 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel10 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span shash_map11 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 245 20 247 86 + let%span shash_map12 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 130 14 130 45 + let%span shash_map13 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 128 4 128 10 + let%span shash_map14 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 135 15 135 32 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 136 15 136 32 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 137 14 137 42 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 139 8 139 104 + let%span sresolve18 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel19 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap20 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap21 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap22 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap23 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap24 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap25 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'3 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashMap'1 = + { t_HashMap__base'1: t_HashMap'3 } + + predicate inv'0 (_1 : t_HashMap'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashMap'1 [inv'0 x] . inv'0 x = true + + type t_FMap'1 + + function view'4 (self : t_HashMap'1) : t_FMap'1 + + function view'1 (self : t_HashMap'1) : t_FMap'1 = + [%#smodel10] view'4 self + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + function view'2 (self : t_Iter'0) : t_FMap'1 + + let rec iter'0 (self:t_HashMap'1) (return' (ret:t_Iter'0))= {[@expl:iter 'self' type invariant] inv'0 self} + any [ return' (result:t_Iter'0)-> {[%#shash_map3] view'1 self = view'2 result} (! return' {result}) ] + + use prelude.prelude.Snapshot + + predicate inv'1 (_1 : t_Iter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Iter'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'2 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'2 } + + predicate inv'2 (_1 : t_HashMap'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashMap'0 [inv'2 x] . inv'2 x = true + + type t_K'0 + + type t_V'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_Iter'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'1) : int + + axiom len'0_spec : forall self : t_FMap'1 . [%#sfmap21] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_DeepModelTy'0 + + function deep_model'1 (self : t_K'0) : t_DeepModelTy'0 + + function deep_model'0 (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel8] deep_model'1 self + + type t_Option'2 = + | C_None'0 + | C_Some'1 t_V'0 + + type t_Option'3 = + | C_None'3 + | C_Some'3 t_V'0 + + use map.Map + + function view'6 (self : t_FMap'1) : Map.map t_DeepModelTy'0 (t_Option'3) + + axiom view'6_spec : forall self : t_FMap'1 . [%#sfmap28] forall m1 : t_FMap'1, m2 : t_FMap'1 . m1 <> m2 + -> view'6 m1 <> view'6 m2 + + use map.Map + + function get_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_Option'3 = + [%#sfmap22] Map.get (view'6 self) k + + function get'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_Option'2 = + [%#sfmap7] match get_unsized'1 self k with + | C_None'3 -> C_None'0 + | C_Some'3 x -> C_Some'1 x + end + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) = + [%#shash_map6] len'0 (view'2 self) = Seq.length visited + len'0 (view'2 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'1 (view'2 self) (deep_model'0 k) = C_Some'1 v /\ get'1 (view'2 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'1 (view'2 o) k = C_Some'1 v + -> get'1 (view'2 self) k = C_Some'1 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'1 (view'2 self) k = C_Some'1 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'1 (view'2 o) k = C_Some'1 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + function produces_trans'0 (a : t_Iter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_Iter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_Iter'0) : () + + = + [%#shash_map17] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq (t_K'0, t_V'0), b : t_Iter'0, bc : Seq.seq (t_K'0, t_V'0), c : t_Iter'0 . ([%#shash_map14] produces'0 a ab b) + -> ([%#shash_map15] produces'0 b bc c) -> ([%#shash_map16] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Iter'0) : () = + [%#shash_map13] () + + axiom produces_refl'0_spec : forall self : t_Iter'0 . [%#shash_map12] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + + predicate resolve'1 (self : borrowed (t_Iter'0)) = + [%#sresolve18] self.final = self.current + + function view'3 (self : borrowed (t_Iter'0)) : t_FMap'1 = + [%#smodel19] view'2 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'1 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap23] len'0 (empty'0 _1) = 0) + && ([%#sfmap24] view'6 (empty'0 _1) = Const.const (C_None'3)) + + function ext_eq'0 (self : t_FMap'1) (other : t_FMap'1) : bool = + [%#sfmap27] view'6 self = view'6 other + + axiom ext_eq'0_spec : forall self : t_FMap'1, other : t_FMap'1 . ([%#sfmap25] ext_eq'0 self other -> self = other) + && ([%#sfmap26] (forall k : t_DeepModelTy'0 . get_unsized'1 self k = get_unsized'1 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'1) : bool = + [%#sfmap20] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_Iter'0)) = + [%#shash_map5] resolve'1 self /\ is_empty'0 (view'3 self) + + type t_FMap'0 + + function view'0 (self : t_HashMap'0) : t_FMap'0 + + type t_Option'0 = + | C_None'2 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 + + use map.Map + + function view'5 (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + + axiom view'5_spec : forall self : t_FMap'0 . [%#sfmap28] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'5 m1 <> view'5 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 = + [%#sfmap22] Map.get (view'5 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 = + [%#sfmap7] match get_unsized'0 self k with + | C_None'1 -> C_None'2 + | C_Some'2 x -> C_Some'0 x + end + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, t_V'0)) (res : t_HashMap'0) = + [%#shash_map11] forall k : t_DeepModelTy'0, v : t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int, k1 : t_K'0 . 0 <= i + /\ i < Seq.length prod + /\ deep_model'0 k1 = k + /\ Seq.get prod i = (k1, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> deep_model'0 (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_Iter'0) (return' (ret:t_HashMap'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'0)-> {inv'2 result} + {[%#siter4] exists done' : borrowed (t_Iter'0), prod : Seq.seq (t_K'0, t_V'0) . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Snapshot + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_iter'0 (xs:t_HashMap'1) (return' (ret:t_HashMap'0))= (! bb0 + [ bb0 = s0 [ s0 = iter'0 {xs} (fun (_ret':t_Iter'0) -> [ &it <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &it0 <- [%#scollections0] Snapshot.new it ] s1 | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {it} (fun (_ret':t_HashMap'0) -> [ &r <- _ret' ] s1) | s1 = bb3 ] + | bb3 = s0 + [ s0 = {[@expl:assertion] [%#scollections1] exists prod : Seq.seq (t_K'0, t_V'0), it1 : borrowed (t_Iter'0) . completed'0 it1 + /\ produces'0 (Snapshot.inner it0) prod it1.current + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 prod (k1, v)))} + s1 + | s1 = bb4 ] + + | bb4 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb5 ] + | bb5 = return' {_0} ] + ) + [ & _0 : t_HashMap'0 = any_l () + | & xs : t_HashMap'1 = xs + | & it : t_Iter'0 = any_l () + | & it0 : Snapshot.snap_ty (t_Iter'0) = any_l () + | & r : t_HashMap'0 = any_l () ] + + [ return' (result:t_HashMap'0)-> {[@expl:roundtrip_hashmap_iter ensures] [%#scollections2] forall k : t_DeepModelTy'0, v : t_V'0 . (get'0 (view'0 result) k + = C_Some'0 v) + = (get'1 (view'1 xs) k = C_Some'1 v)} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashmap_iter_mut [#"collections.rs" 48 0 50 24] + let%span scollections0 = "collections.rs" 52 14 52 30 + let%span scollections1 = "collections.rs" 55 8 58 81 + let%span scollections2 = "collections.rs" 45 10 45 128 + let%span scollections3 = "collections.rs" 46 10 46 107 + let%span scollections4 = "collections.rs" 47 10 47 110 + let%span shash_map5 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 23 0 37 1 + let%span siter6 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map7 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 177 20 177 54 + let%span shash_map8 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap9 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel10 = "../../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel12 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap13 = "../../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap14 = "../../../../creusot-contracts/src/logic/fmap.rs" 228 8 228 24 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 233 20 235 112 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 245 20 247 86 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 182 14 182 45 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 10 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 187 15 187 32 + let%span shash_map20 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 188 15 188 32 + let%span shash_map21 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 189 14 189 42 + let%span shash_map22 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 191 8 191 104 + let%span sresolve23 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sfmap24 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap25 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 116 9 116 31 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap31 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap32 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap33 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap34 = "../../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 + let%span sutil35 = "../../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil36 = "../../../../creusot-contracts/src/util.rs" 56 10 56 28 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'2 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'2 } + + predicate inv'0 (_1 : borrowed (t_HashMap'0)) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_HashMap'0) [inv'0 x] . inv'0 x = true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } + + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } + + type t_DeepModelTy'0 + + type t_FMap'1 + + function view'2 (self : t_HashMap'0) : t_FMap'1 + + type t_V'0 + + type t_Option'3 = + | C_None'2 + | C_Some'3 t_V'0 + + use map.Map + + function view'6 (self : t_FMap'1) : Map.map t_DeepModelTy'0 (t_Option'3) + + axiom view'6_spec : forall self : t_FMap'1 . [%#sfmap33] forall m1 : t_FMap'1, m2 : t_FMap'1 . m1 <> m2 + -> view'6 m1 <> view'6 m2 + + use map.Map + + function get_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_Option'3 = + [%#sfmap26] Map.get (view'6 self) k + + function contains'2 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : bool = + [%#sfmap13] get_unsized'1 self k <> C_None'2 + + type t_FMap'0 + + function view'4 (self : t_IterMut'0) : t_FMap'0 + + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) + + use map.Map + + function view'5 (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + + axiom view'5_spec : forall self : t_FMap'0 . [%#sfmap33] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'5 m1 <> view'5 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 = + [%#sfmap26] Map.get (view'5 self) k + + function contains'1 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : bool = + [%#sfmap13] get_unsized'0 self k <> C_None'1 + + function unwrap'1 (op : t_Option'3) : t_V'0 + + axiom unwrap'1_spec : forall op : t_Option'3 . ([%#sutil35] op <> C_None'2) + -> ([%#sutil36] C_Some'3 (unwrap'1 op) = op) + + function lookup_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_V'0 = + [%#sfmap34] unwrap'1 (get_unsized'1 self k) + + function lookup'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_V'0 = + [%#sfmap27] lookup_unsized'1 self k + + function index_logic'1 [@inline:trivial] (self : t_FMap'1) (key : t_DeepModelTy'0) : t_V'0 = + [%#sfmap14] lookup'1 self key + + function unwrap'0 (op : t_Option'1) : borrowed t_V'0 + + axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil35] op <> C_None'1) + -> ([%#sutil36] C_Some'2 (unwrap'0 op) = op) + + function lookup_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : borrowed t_V'0 = + [%#sfmap34] unwrap'0 (get_unsized'0 self k) + + function lookup'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : borrowed t_V'0 = + [%#sfmap27] lookup_unsized'0 self k + + function index_logic'0 [@inline:trivial] (self : t_FMap'0) (key : t_DeepModelTy'0) : borrowed t_V'0 = + [%#sfmap14] lookup'0 self key + + predicate into_iter_post'0 (self : borrowed (t_HashMap'0)) (res : t_IterMut'0) = + [%#shash_map15] forall k : t_DeepModelTy'0 . contains'2 (view'2 self.current) k = contains'2 (view'2 self.final) k + /\ (forall k : t_DeepModelTy'0 . contains'2 (view'2 self.current) k = contains'1 (view'4 res) k) + /\ (forall k : t_DeepModelTy'0 . contains'2 (view'2 self.current) k + -> index_logic'1 (view'2 self.current) k = (index_logic'0 (view'4 res) k).current + /\ index_logic'1 (view'2 self.final) k = (index_logic'0 (view'4 res) k).final) + + let rec iter_mut'0 (self:borrowed (t_HashMap'0)) (return' (ret:t_IterMut'0))= {[@expl:iter_mut 'self' type invariant] inv'0 self} + any [ return' (result:t_IterMut'0)-> {[%#shash_map5] into_iter_post'0 self result} (! return' {result}) ] + + use prelude.prelude.Snapshot + + predicate inv'1 (_1 : t_IterMut'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IterMut'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'3 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashMap'1 = + { t_HashMap__base'1: t_HashMap'3 } + + predicate inv'2 (_1 : t_HashMap'1) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashMap'1 [inv'2 x] . inv'2 x = true + + type t_K'0 + + use seq.Seq + + predicate resolve'1 (_1 : t_IterMut'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap25] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) = + [%#sseq11] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + function deep_model'1 (self : t_K'0) : t_DeepModelTy'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 = + [%#sfmap9] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end + + function deep_model'0 (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel10] deep_model'1 self + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) = + [%#shash_map8] len'0 (view'4 self) = Seq.length visited + len'0 (view'4 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'4 self) (deep_model'1 k) = C_Some'0 v /\ get'0 (view'4 o) (deep_model'1 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'4 o) k = C_Some'0 v + -> get'0 (view'4 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'4 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'4 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + function produces_trans'0 (a : t_IterMut'0) (ab : Seq.seq (t_K'0, borrowed t_V'0)) (b : t_IterMut'0) (bc : Seq.seq (t_K'0, borrowed t_V'0)) (c : t_IterMut'0) : () + + = + [%#shash_map22] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_IterMut'0, ab : Seq.seq (t_K'0, borrowed t_V'0), b : t_IterMut'0, bc : Seq.seq (t_K'0, borrowed t_V'0), c : t_IterMut'0 . ([%#shash_map19] produces'0 a ab b) + -> ([%#shash_map20] produces'0 b bc c) -> ([%#shash_map21] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IterMut'0) : () = + [%#shash_map18] () + + axiom produces_refl'0_spec : forall self : t_IterMut'0 . [%#shash_map17] produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self + + predicate resolve'2 (self : borrowed (t_IterMut'0)) = + [%#sresolve23] self.final = self.current + + function view'3 (self : borrowed (t_IterMut'0)) : t_FMap'0 = + [%#smodel12] view'4 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'0 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap28] len'0 (empty'0 _1) = 0) + && ([%#sfmap29] view'5 (empty'0 _1) = Const.const (C_None'1)) + + function ext_eq'0 (self : t_FMap'0) (other : t_FMap'0) : bool = + [%#sfmap32] view'5 self = view'5 other + + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap30] ext_eq'0 self other -> self = other) + && ([%#sfmap31] (forall k : t_DeepModelTy'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'0) : bool = + [%#sfmap24] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_IterMut'0)) = + [%#shash_map7] resolve'2 self /\ is_empty'0 (view'3 self) + + function view'0 (self : t_HashMap'1) : t_FMap'0 + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, borrowed t_V'0)) (res : t_HashMap'1) = + [%#shash_map16] forall k : t_DeepModelTy'0, v : borrowed t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int, k1 : t_K'0 . 0 <= i + /\ i < Seq.length prod + /\ deep_model'0 k1 = k + /\ Seq.get prod i = (k1, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> deep_model'0 (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_IterMut'0) (return' (ret:t_HashMap'1))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'1)-> {inv'2 result} + {[%#siter6] exists done' : borrowed (t_IterMut'0), prod : Seq.seq (t_K'0, borrowed t_V'0) . resolve'1 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Snapshot + + predicate resolve'3 (self : borrowed (t_HashMap'0)) = + [%#sresolve23] self.final = self.current + + predicate resolve'0 (_1 : borrowed (t_HashMap'0)) = + resolve'3 _1 + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + function view'1 (self : borrowed (t_HashMap'0)) : t_FMap'1 = + [%#smodel12] view'2 self.current + + type t_Option'2 = + | C_None'3 + | C_Some'1 t_V'0 + + function get'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_Option'2 = + [%#sfmap9] match get_unsized'1 self k with + | C_None'2 -> C_None'3 + | C_Some'3 x -> C_Some'1 x + end + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_iter_mut'0 (xs:borrowed (t_HashMap'0)) (return' (ret:t_HashMap'1))= (! bb0 + [ bb0 = s0 + [ s0 = Borrow.borrow_final {xs.current} {Borrow.get_id xs} + (fun (_ret':borrowed (t_HashMap'0)) -> [ &_6 <- _ret' ] [ &xs <- { xs with current = _ret'.final } ] s1) + | s1 = iter_mut'0 {_6} (fun (_ret':t_IterMut'0) -> [ &it <- _ret' ] s2) + | s2 = bb1 ] + + | bb1 = s0 [ s0 = [ &it0 <- [%#scollections0] Snapshot.new it ] s1 | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {it} (fun (_ret':t_HashMap'1) -> [ &r <- _ret' ] s1) | s1 = bb3 ] + | bb3 = s0 + [ s0 = {[@expl:assertion] [%#scollections1] exists prod : Seq.seq (t_K'0, borrowed t_V'0), it1 : borrowed (t_IterMut'0) . completed'0 it1 + /\ produces'0 (Snapshot.inner it0) prod it1.current + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 prod (k1, v)))} + s1 + | s1 = bb4 ] + + | bb4 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb5 ] + | bb5 = s0 [ s0 = -{resolve'0 xs}- s1 | s1 = return' {_0} ] ] + ) + [ & _0 : t_HashMap'1 = any_l () + | & xs : borrowed (t_HashMap'0) = xs + | & it : t_IterMut'0 = any_l () + | & _6 : borrowed (t_HashMap'0) = any_l () + | & it0 : Snapshot.snap_ty (t_IterMut'0) = any_l () + | & r : t_HashMap'1 = any_l () ] + + [ return' (result:t_HashMap'1)-> {[@expl:roundtrip_hashmap_iter_mut ensures #0] [%#scollections2] forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 result) k + = C_Some'0 v -> get'1 (view'1 xs) k = C_Some'1 (v.current) /\ get'1 (view'2 xs.final) k = C_Some'1 (v.final)} + {[@expl:roundtrip_hashmap_iter_mut ensures #1] [%#scollections3] forall k : t_DeepModelTy'0, v : t_V'0 . get'1 (view'1 xs) k + = C_Some'1 v -> contains'1 (view'0 result) k /\ (index_logic'0 (view'0 result) k).current = v} + {[@expl:roundtrip_hashmap_iter_mut ensures #2] [%#scollections4] forall k : t_DeepModelTy'0, v : t_V'0 . get'1 (view'2 xs.final) k + = C_Some'1 v -> contains'1 (view'0 result) k /\ (index_logic'0 (view'0 result) k).final = v} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashset_into_iter [#"collections.rs" 64 0 64 90] + let%span scollections0 = "collections.rs" 63 10 63 24 + let%span siter1 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_set3 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 157 20 157 24 + let%span shash_set4 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 163 20 163 33 + let%span shash_set5 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 96 20 96 38 + let%span shash_set6 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set7 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 185 20 185 121 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 101 14 101 45 + let%span shash_set9 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 99 4 99 10 + let%span shash_set10 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 106 15 106 32 + let%span shash_set11 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 107 15 107 32 + let%span shash_set12 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 108 14 108 42 + let%span shash_set13 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 110 8 110 43 + let%span smodel14 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span shash_set15 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset16 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_set18 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set19 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set20 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set21 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span sseq22 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq23 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + predicate inv'0 (_1 : t_HashSet'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'0 [inv'0 x] . inv'0 x = true + + predicate into_iter_pre'0 (self : t_HashSet'0) = + [%#shash_set3] true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } + + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_DeepModelTy'0 + + use set.Fset + + function view'0 (self : t_HashSet'0) : Fset.fset t_DeepModelTy'0 + + function view'1 (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 + + predicate into_iter_post'0 (self : t_HashSet'0) (res : t_IntoIter'0) = + [%#shash_set4] view'0 self = view'1 res + + let rec into_iter'0 (self:t_HashSet'0) (return' (ret:t_IntoIter'0))= {[@expl:into_iter 'self' type invariant] inv'0 self} + {[@expl:into_iter requires] [%#siter1] into_iter_pre'0 self} + any [ return' (result:t_IntoIter'0)-> {[%#siter1] into_iter_post'0 self result} (! return' {result}) ] + + predicate inv'1 (_1 : t_IntoIter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IntoIter'0 [inv'1 x] . inv'1 x = true + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_IntoIter'0) = + true + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) = + [%#sfset16] Fset.mem e self + + function deep_model'0 (self : t_T'0) : t_DeepModelTy'0 + + use seq.Seq + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) = + [%#shash_set15] Fset.cardinal (view'1 start) = Seq.length visited + Fset.cardinal (view'1 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'1 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'1 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'1 start) (deep_model'0 x) /\ not contains'0 (view'1 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'1 end') x + -> contains'0 (view'1 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) + + use seq.Seq + + function concat_contains'0 (_1 : ()) : () = + [%#sseq23] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq22] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x + + function set_produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + = + [%#shash_set21] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom set_produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq t_T'0, b : t_IntoIter'0, bc : Seq.seq t_T'0, c : t_IntoIter'0 . ([%#shash_set18] set_produces'0 a ab b) + -> ([%#shash_set19] set_produces'0 b bc c) -> ([%#shash_set20] set_produces'0 a (Seq.(++) ab bc) c) + + use seq.Seq + + predicate produces'0 (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = + [%#shash_set6] set_produces'0 self visited o + + function produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + = + [%#shash_set13] let _ = set_produces_trans'0 a ab b bc c in () + + axiom produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq t_T'0, b : t_IntoIter'0, bc : Seq.seq t_T'0, c : t_IntoIter'0 . ([%#shash_set10] produces'0 a ab b) + -> ([%#shash_set11] produces'0 b bc c) -> ([%#shash_set12] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IntoIter'0) : () = + [%#shash_set9] () + + axiom produces_refl'0_spec : forall self : t_IntoIter'0 . [%#shash_set8] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + function view'2 (self : borrowed (t_IntoIter'0)) : Fset.fset t_DeepModelTy'0 = + [%#smodel14] view'1 self.current + + use set.Fset + + predicate completed'0 (self : borrowed (t_IntoIter'0)) = + [%#shash_set5] Fset.is_empty (view'2 self) + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set7] forall x : t_DeepModelTy'0 . contains'0 (view'0 res) x + = (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 prod x1) + + let rec collect'0 (self:t_IntoIter'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashSet'0)-> {inv'0 result} + {[%#siter2] exists done' : borrowed (t_IntoIter'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashset_into_iter'0 (xs:t_HashSet'0) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = bb1 + | bb1 = s0 [ s0 = into_iter'0 {xs} (fun (_ret':t_IntoIter'0) -> [ &_3 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {_3} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : t_HashSet'0 = any_l () | & xs : t_HashSet'0 = xs | & _3 : t_IntoIter'0 = any_l () ] + [ return' (result:t_HashSet'0)-> {[@expl:roundtrip_hashset_into_iter ensures] [%#scollections0] view'0 result + = view'0 xs} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashset_iter [#"collections.rs" 69 0 69 87] + let%span scollections0 = "collections.rs" 68 10 68 24 + let%span shash_set1 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 19 0 38 1 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span smodel3 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span shash_set4 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 135 20 135 38 + let%span shash_set5 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set6 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 185 20 185 121 + let%span shash_set7 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 140 14 140 45 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 138 4 138 10 + let%span shash_set9 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 145 15 145 32 + let%span shash_set10 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 146 15 146 32 + let%span shash_set11 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 147 14 147 42 + let%span shash_set12 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 149 8 149 43 + let%span smodel13 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span shash_set14 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset15 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel16 = "../../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_set18 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set19 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set20 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set21 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span sseq22 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq23 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'1 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashSet'3 = + { t_HashSet__map'1: t_HashMap'1 } + + type t_HashSet'1 = + { t_HashSet__base'1: t_HashSet'3 } + + predicate inv'0 (_1 : t_HashSet'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'1 [inv'0 x] . inv'0 x = true + + type t_DeepModelTy'0 + + use set.Fset + + function view'3 (self : t_HashSet'1) : Fset.fset t_DeepModelTy'0 + + function view'1 (self : t_HashSet'1) : Fset.fset t_DeepModelTy'0 = + [%#smodel3] view'3 self + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + function view'2 (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 + + let rec iter'0 (self:t_HashSet'1) (return' (ret:t_Iter'0))= {[@expl:iter 'self' type invariant] inv'0 self} + any [ return' (result:t_Iter'0)-> {[%#shash_set1] view'1 self = view'2 result} (! return' {result}) ] + + predicate inv'1 (_1 : t_Iter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Iter'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'2 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'2 } + + predicate inv'2 (_1 : t_HashSet'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashSet'0 [inv'2 x] . inv'2 x = true + + type t_T'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_Iter'0) = + true + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) = + [%#sfset15] Fset.mem e self + + function deep_model'1 (self : t_T'0) : t_DeepModelTy'0 + + function deep_model'0 (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel16] deep_model'1 self + + use seq.Seq + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) = + [%#shash_set14] Fset.cardinal (view'2 start) = Seq.length visited + Fset.cardinal (view'2 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'2 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'2 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'2 start) (deep_model'0 x) /\ not contains'0 (view'2 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'2 end') x + -> contains'0 (view'2 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) + + use seq.Seq + + function concat_contains'0 (_1 : ()) : () = + [%#sseq23] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq22] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x + + function set_produces_trans'0 (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + + = + [%#shash_set21] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom set_produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq t_T'0, b : t_Iter'0, bc : Seq.seq t_T'0, c : t_Iter'0 . ([%#shash_set18] set_produces'0 a ab b) + -> ([%#shash_set19] set_produces'0 b bc c) -> ([%#shash_set20] set_produces'0 a (Seq.(++) ab bc) c) + + use seq.Seq + + predicate produces'0 (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) = + [%#shash_set5] set_produces'0 self visited o + + function produces_trans'0 (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + = + [%#shash_set12] let _ = set_produces_trans'0 a ab b bc c in () + + axiom produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq t_T'0, b : t_Iter'0, bc : Seq.seq t_T'0, c : t_Iter'0 . ([%#shash_set9] produces'0 a ab b) + -> ([%#shash_set10] produces'0 b bc c) -> ([%#shash_set11] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Iter'0) : () = + [%#shash_set8] () + + axiom produces_refl'0_spec : forall self : t_Iter'0 . [%#shash_set7] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + function view'4 (self : borrowed (t_Iter'0)) : Fset.fset t_DeepModelTy'0 = + [%#smodel13] view'2 self.current + + use set.Fset + + predicate completed'0 (self : borrowed (t_Iter'0)) = + [%#shash_set4] Fset.is_empty (view'4 self) + + function view'0 (self : t_HashSet'0) : Fset.fset t_DeepModelTy'0 + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set6] forall x : t_DeepModelTy'0 . contains'0 (view'0 res) x + = (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 prod x1) + + let rec collect'0 (self:t_Iter'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashSet'0)-> {inv'2 result} + {[%#siter2] exists done' : borrowed (t_Iter'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashset_iter'0 (xs:t_HashSet'1) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = s0 [ s0 = iter'0 {xs} (fun (_ret':t_Iter'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = collect'0 {_3} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_HashSet'0 = any_l () | & xs : t_HashSet'1 = xs | & _3 : t_Iter'0 = any_l () ] + [ return' (result:t_HashSet'0)-> {[@expl:roundtrip_hashset_iter ensures] [%#scollections0] view'0 result + = view'1 xs} + (! return' {result}) ] + +end +module M_collections__hashset_intersection [#"collections.rs" 74 0 77 15] + let%span scollections0 = "collections.rs" 73 10 73 42 + let%span shash_set1 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 32 30 32 67 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter3 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span smodel4 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span scopied5 = "../../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span scopied6 = "../../../../creusot-contracts/src/std/iter/copied.rs" 40 12 40 105 + let%span scopied7 = "../../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 185 20 185 121 + let%span scopied9 = "../../../../creusot-contracts/src/std/iter/copied.rs" 21 8 21 29 + let%span scopied10 = "../../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 + let%span scopied11 = "../../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 + let%span scopied12 = "../../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 + let%span scopied13 = "../../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 + let%span shash_set14 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 210 20 210 56 + let%span shash_set15 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span sfset16 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_set18 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 215 14 215 45 + let%span shash_set19 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 213 4 213 10 + let%span shash_set20 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 220 15 220 32 + let%span shash_set21 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 221 15 221 32 + let%span shash_set22 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 222 14 222 42 + let%span shash_set23 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 224 8 224 43 + let%span sresolve24 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel25 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span shash_set26 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span shash_set27 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set28 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set29 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set30 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span smodel31 = "../../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq32 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq33 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + predicate inv'0 (_1 : t_HashSet'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'0 [inv'0 x] . inv'0 x = true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + predicate inv'1 (_1 : t_Intersection'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Intersection'0 [inv'1 x] . inv'1 x = true + + type t_DeepModelTy'0 + + use set.Fset + + function view'2 (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 + + function view'0 (self : t_HashSet'0) : Fset.fset t_DeepModelTy'0 + + function view'1 (self : t_HashSet'0) : Fset.fset t_DeepModelTy'0 = + [%#smodel4] view'0 self + + use set.Fset + + let rec intersection'0 (self:t_HashSet'0) (other:t_HashSet'0) (return' (ret:t_Intersection'0))= {[@expl:intersection 'self' type invariant] inv'0 self} + {[@expl:intersection 'other' type invariant] inv'0 other} + any + [ return' (result:t_Intersection'0)-> {inv'1 result} + {[%#shash_set1] view'2 result = Fset.inter (view'1 self) (view'1 other)} + (! return' {result}) ] + + + type t_Copied'0 = + { t_Copied__it'0: t_Intersection'0 } + + predicate inv'2 (_1 : t_Copied'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_Copied'0 [inv'2 x] . inv'2 x = true + + function iter'0 (self : t_Copied'0) : t_Intersection'0 + + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'2 self -> inv'1 (iter'0 self) + + let rec copied'0 (self:t_Intersection'0) (return' (ret:t_Copied'0))= {[@expl:copied 'self' type invariant] inv'1 self} + any [ return' (result:t_Copied'0)-> {inv'2 result} {[%#siter2] iter'0 result = self} (! return' {result}) ] + + predicate inv'3 (_1 : t_HashSet'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_HashSet'0 [inv'3 x] . inv'3 x = true + + type t_T'0 + + use seq.Seq + + predicate resolve'2 (_1 : t_Intersection'0) = + true + + predicate resolve'1 (self : t_Copied'0) = + [%#scopied9] resolve'2 (iter'0 self) + + predicate resolve'0 (_1 : t_Copied'0) = + resolve'1 _1 + + use seq.Seq + + use seq.Seq + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) = + [%#sfset16] Fset.mem e self + + function deep_model'0 (self : t_T'0) : t_DeepModelTy'0 + + function deep_model'1 (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel31] deep_model'0 self + + use seq.Seq + + predicate contains'2 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) = + [%#shash_set26] Fset.cardinal (view'2 start) = Seq.length visited + Fset.cardinal (view'2 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'2 start) x + -> (exists x1 : t_T'0 . deep_model'1 x1 = x /\ contains'2 visited x1) \/ contains'0 (view'2 end') x) + /\ (forall x : t_T'0 . contains'2 visited x + -> contains'0 (view'2 start) (deep_model'1 x) /\ not contains'0 (view'2 end') (deep_model'1 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'2 end') x + -> contains'0 (view'2 start) x /\ not (exists x1 : t_T'0 . deep_model'1 x1 = x /\ contains'2 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'1 (Seq.get visited i) = deep_model'1 (Seq.get visited j) + -> i = j) + + function concat_contains'0 (_1 : ()) : () = + [%#sseq33] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq32] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'2 (Seq.(++) a b) x + = contains'2 a x + \/ contains'2 b x + + function set_produces_trans'0 (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () + + = + [%#shash_set30] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom set_produces_trans'0_spec : forall a : t_Intersection'0, ab : Seq.seq t_T'0, b : t_Intersection'0, bc : Seq.seq t_T'0, c : t_Intersection'0 . ([%#shash_set27] set_produces'0 a ab b) + -> ([%#shash_set28] set_produces'0 b bc c) -> ([%#shash_set29] set_produces'0 a (Seq.(++) ab bc) c) + + use seq.Seq + + predicate produces'1 (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = + [%#shash_set15] set_produces'0 self visited o + + function produces_trans'1 (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () + + = + [%#shash_set23] let _ = set_produces_trans'0 a ab b bc c in () + + axiom produces_trans'1_spec : forall a : t_Intersection'0, ab : Seq.seq t_T'0, b : t_Intersection'0, bc : Seq.seq t_T'0, c : t_Intersection'0 . ([%#shash_set20] produces'1 a ab b) + -> ([%#shash_set21] produces'1 b bc c) -> ([%#shash_set22] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 (self : t_Intersection'0) : () = + [%#shash_set19] () + + axiom produces_refl'1_spec : forall self : t_Intersection'0 . [%#shash_set18] produces'1 self (Seq.empty : Seq.seq t_T'0) self + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) = + [%#scopied7] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + + function produces_trans'0 (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () + + + axiom produces_trans'0_spec : forall a : t_Copied'0, ab : Seq.seq t_T'0, b : t_Copied'0, bc : Seq.seq t_T'0, c : t_Copied'0 . ([%#scopied11] produces'0 a ab b) + -> ([%#scopied12] produces'0 b bc c) -> ([%#scopied13] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Copied'0) : () + + axiom produces_refl'0_spec : forall self : t_Copied'0 . [%#scopied10] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + predicate resolve'3 (self : borrowed (t_Intersection'0)) = + [%#sresolve24] self.final = self.current + + function view'3 (self : borrowed (t_Intersection'0)) : Fset.fset t_DeepModelTy'0 = + [%#smodel25] view'2 self.current + + use set.Fset + + predicate completed'1 (self : borrowed (t_Intersection'0)) = + [%#shash_set14] resolve'3 self /\ Fset.is_empty (view'3 self) + + predicate completed'0 (self : borrowed (t_Copied'0)) = + [%#scopied6] exists inner : borrowed (t_Intersection'0) . inner.current = iter'0 self.current + /\ inner.final = iter'0 self.final /\ completed'1 inner + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set8] forall x : t_DeepModelTy'0 . contains'0 (view'0 res) x + = (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 prod x1) + + let rec collect'0 (self:t_Copied'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'2 self} + any + [ return' (result:t_HashSet'0)-> {inv'3 result} + {[%#siter3] exists done' : borrowed (t_Copied'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec hashset_intersection'0 (xs:t_HashSet'0) (ys:t_HashSet'0) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = s0 [ s0 = intersection'0 {xs} {ys} (fun (_ret':t_Intersection'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = copied'0 {_5} (fun (_ret':t_Copied'0) -> [ &_4 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {_4} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = return' {_0} ] + ) + [ & _0 : t_HashSet'0 = any_l () + | & xs : t_HashSet'0 = xs + | & ys : t_HashSet'0 = ys + | & _4 : t_Copied'0 = any_l () + | & _5 : t_Intersection'0 = any_l () ] + + [ return' (result:t_HashSet'0)-> {[@expl:hashset_intersection ensures] [%#scollections0] view'0 result + = Fset.inter (view'1 xs) (view'1 ys)} + (! return' {result}) ] + +end diff --git a/creusot/tests/should_succeed/cc/collections.rs b/creusot/tests/should_succeed/cc/collections.rs new file mode 100644 index 0000000000..9de9c88f31 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections.rs @@ -0,0 +1,79 @@ +extern crate creusot_contracts; +use creusot_contracts::*; +use std::{ + collections::{hash_map, HashMap, HashSet}, + hash::Hash, +}; + +#[trusted] +#[logic] +pub fn any() -> T { + dead +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashmap_into_iter( + xs: HashMap, +) -> HashMap { + let it = xs.into_iter(); + let it0 = snapshot! { it }; + let r: HashMap = it.collect(); + proof_assert! { + exists, it1: &mut hash_map::IntoIter> + it1.completed() && it0.produces(prod, *it1) && + forall r@.get(k) == Some(v) + ==> exists k1.deep_model() == k && prod.contains((k1, v)) + }; + proof_assert! { forall r@.contains(k) == xs@.contains(k) }; + r +} + +#[ensures(forall (result@.get(k) == Some(v)) == (xs@.get(k) == Some(*v)))] +pub fn roundtrip_hashmap_iter(xs: &HashMap) -> HashMap<&K, &V> { + let it = xs.iter(); + let it0 = snapshot! { it }; + let r: HashMap<&K, &V> = it.collect(); + + proof_assert! { + exists, it1: &mut hash_map::Iter> + it1.completed() && it0.produces(prod, *it1) + && forall r@.get(k) == Some(v) + ==> exists k1.deep_model() == k && prod.contains((k1, v)) }; + r +} + +#[ensures(forall result@.get(k) == Some(v) ==> xs@.get(k) == Some(*v) && (^xs)@.get(k) == Some(^v))] +#[ensures(forall xs@.get(k) == Some(v) ==> result@.contains(k) && *result@[k] == v)] +#[ensures(forall (^xs)@.get(k) == Some(v) ==> result@.contains(k) && ^result@[k] == v)] +pub fn roundtrip_hashmap_iter_mut( + xs: &mut HashMap, +) -> HashMap<&K, &mut V> { + let it = xs.iter_mut(); + let it0 = snapshot! { it }; + let r: HashMap<&K, &mut V> = it.collect(); + proof_assert! { + exists, it1: &mut hash_map::IterMut> + it1.completed() && it0.produces(prod, *it1) + && forall r@.get(k) == Some(v) + ==> exists k1.deep_model() == k && prod.contains((k1, v)) + }; + r +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashset_into_iter(xs: HashSet) -> HashSet { + xs.into_iter().collect() +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashset_iter(xs: &HashSet) -> HashSet<&T> { + xs.iter().collect() +} + +#[ensures(result@ == xs@.intersection(ys@))] +pub fn hashset_intersection( + xs: &HashSet, + ys: &HashSet, +) -> HashSet { + xs.intersection(ys).copied().collect() +} diff --git a/creusot/tests/should_succeed/cc/collections/why3session.xml b/creusot/tests/should_succeed/cc/collections/why3session.xml new file mode 100644 index 0000000000..efb5774405 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections/why3session.xml @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/creusot/tests/should_succeed/cc/collections/why3shapes.gz b/creusot/tests/should_succeed/cc/collections/why3shapes.gz new file mode 100644 index 0000000000..dbb36120cf Binary files /dev/null and b/creusot/tests/should_succeed/cc/collections/why3shapes.gz differ diff --git a/creusot/tests/should_succeed/ghost/ghost_set.coma b/creusot/tests/should_succeed/ghost/ghost_set.coma index e4e93b45f2..715ebc53ba 100644 --- a/creusot/tests/should_succeed/ghost/ghost_set.coma +++ b/creusot/tests/should_succeed/ghost/ghost_set.coma @@ -1,7 +1,7 @@ module M_ghost_set__ghost_map [#"ghost_set.rs" 4 0 4 18] let%span sghost_set0 = "ghost_set.rs" 5 18 5 36 - let%span sfset1 = "../../../../creusot-contracts/src/logic/fset.rs" 185 4 185 34 - let%span sfset2 = "../../../../creusot-contracts/src/logic/fset.rs" 183 14 183 31 + let%span sfset1 = "../../../../creusot-contracts/src/logic/fset.rs" 196 4 196 34 + let%span sfset2 = "../../../../creusot-contracts/src/logic/fset.rs" 194 14 194 31 let%span sghost_set3 = "ghost_set.rs" 7 22 7 53 let%span sghost_set4 = "ghost_set.rs" 8 25 8 26 let%span sghost_set5 = "ghost_set.rs" 10 22 10 63 @@ -25,22 +25,22 @@ module M_ghost_set__ghost_map [#"ghost_set.rs" 4 0 4 18] let%span sghost23 = "../../../../creusot-contracts/src/ghost.rs" 85 22 85 26 let%span sghost24 = "../../../../creusot-contracts/src/ghost.rs" 85 4 85 48 let%span sghost25 = "../../../../creusot-contracts/src/ghost.rs" 84 14 84 36 - let%span sfset26 = "../../../../creusot-contracts/src/logic/fset.rs" 266 29 266 33 - let%span sfset27 = "../../../../creusot-contracts/src/logic/fset.rs" 266 35 266 40 - let%span sfset28 = "../../../../creusot-contracts/src/logic/fset.rs" 264 14 264 44 - let%span sfset29 = "../../../../creusot-contracts/src/logic/fset.rs" 265 14 265 48 + let%span sfset26 = "../../../../creusot-contracts/src/logic/fset.rs" 277 29 277 33 + let%span sfset27 = "../../../../creusot-contracts/src/logic/fset.rs" 277 35 277 40 + let%span sfset28 = "../../../../creusot-contracts/src/logic/fset.rs" 275 14 275 44 + let%span sfset29 = "../../../../creusot-contracts/src/logic/fset.rs" 276 14 276 48 let%span sghost30 = "../../../../creusot-contracts/src/ghost.rs" 69 14 69 18 let%span sghost31 = "../../../../creusot-contracts/src/ghost.rs" 69 4 69 36 let%span sghost32 = "../../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sfset33 = "../../../../creusot-contracts/src/logic/fset.rs" 211 22 211 26 - let%span sfset34 = "../../../../creusot-contracts/src/logic/fset.rs" 210 14 210 34 - let%span sfset35 = "../../../../creusot-contracts/src/logic/fset.rs" 302 29 302 33 - let%span sfset36 = "../../../../creusot-contracts/src/logic/fset.rs" 302 35 302 40 - let%span sfset37 = "../../../../creusot-contracts/src/logic/fset.rs" 300 14 300 45 - let%span sfset38 = "../../../../creusot-contracts/src/logic/fset.rs" 301 14 301 48 - let%span sfset39 = "../../../../creusot-contracts/src/logic/fset.rs" 232 27 232 31 - let%span sfset40 = "../../../../creusot-contracts/src/logic/fset.rs" 232 33 232 38 - let%span sfset41 = "../../../../creusot-contracts/src/logic/fset.rs" 231 14 231 45 + let%span sfset33 = "../../../../creusot-contracts/src/logic/fset.rs" 222 22 222 26 + let%span sfset34 = "../../../../creusot-contracts/src/logic/fset.rs" 221 14 221 34 + let%span sfset35 = "../../../../creusot-contracts/src/logic/fset.rs" 313 29 313 33 + let%span sfset36 = "../../../../creusot-contracts/src/logic/fset.rs" 313 35 313 40 + let%span sfset37 = "../../../../creusot-contracts/src/logic/fset.rs" 311 14 311 45 + let%span sfset38 = "../../../../creusot-contracts/src/logic/fset.rs" 312 14 312 48 + let%span sfset39 = "../../../../creusot-contracts/src/logic/fset.rs" 243 27 243 31 + let%span sfset40 = "../../../../creusot-contracts/src/logic/fset.rs" 243 33 243 38 + let%span sfset41 = "../../../../creusot-contracts/src/logic/fset.rs" 242 14 242 45 let%span sghost42 = "../../../../creusot-contracts/src/ghost.rs" 181 15 181 16 let%span sghost43 = "../../../../creusot-contracts/src/ghost.rs" 181 4 181 28 let%span sghost44 = "../../../../creusot-contracts/src/ghost.rs" 179 14 179 28 diff --git a/creusot/tests/should_succeed/ghost/ghost_vec.coma b/creusot/tests/should_succeed/ghost/ghost_vec.coma index d7d4f155ed..4503007f87 100644 --- a/creusot/tests/should_succeed/ghost/ghost_vec.coma +++ b/creusot/tests/should_succeed/ghost/ghost_vec.coma @@ -2,8 +2,8 @@ module M_ghost_vec__ghost_vec [#"ghost_vec.rs" 4 0 4 18] let%span sghost_vec0 = "ghost_vec.rs" 5 16 5 26 let%span sghost_vec1 = "ghost_vec.rs" 6 18 6 49 let%span sghost_vec2 = "ghost_vec.rs" 40 16 40 26 - let%span sseq3 = "../../../../creusot-contracts/src/logic/seq.rs" 421 4 421 34 - let%span sseq4 = "../../../../creusot-contracts/src/logic/seq.rs" 419 14 419 36 + let%span sseq3 = "../../../../creusot-contracts/src/logic/seq.rs" 431 4 431 34 + let%span sseq4 = "../../../../creusot-contracts/src/logic/seq.rs" 429 14 429 36 let%span sghost5 = "../../../../creusot-contracts/src/ghost.rs" 217 9 217 15 let%span sseq6 = "../../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 let%span sghost_vec7 = "ghost_vec.rs" 8 26 8 28 @@ -35,38 +35,38 @@ module M_ghost_vec__ghost_vec [#"ghost_vec.rs" 4 0 4 18] let%span sghost33 = "../../../../creusot-contracts/src/ghost.rs" 85 22 85 26 let%span sghost34 = "../../../../creusot-contracts/src/ghost.rs" 85 4 85 48 let%span sghost35 = "../../../../creusot-contracts/src/ghost.rs" 84 14 84 36 - let%span sseq36 = "../../../../creusot-contracts/src/logic/seq.rs" 488 32 488 36 - let%span sseq37 = "../../../../creusot-contracts/src/logic/seq.rs" 488 38 488 39 - let%span sseq38 = "../../../../creusot-contracts/src/logic/seq.rs" 487 14 487 40 + let%span sseq36 = "../../../../creusot-contracts/src/logic/seq.rs" 498 32 498 36 + let%span sseq37 = "../../../../creusot-contracts/src/logic/seq.rs" 498 38 498 39 + let%span sseq38 = "../../../../creusot-contracts/src/logic/seq.rs" 497 14 497 40 let%span sghost39 = "../../../../creusot-contracts/src/ghost.rs" 69 14 69 18 let%span sghost40 = "../../../../creusot-contracts/src/ghost.rs" 69 4 69 36 let%span sghost41 = "../../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sseq42 = "../../../../creusot-contracts/src/logic/seq.rs" 445 22 445 26 - let%span sseq43 = "../../../../creusot-contracts/src/logic/seq.rs" 444 14 444 34 + let%span sseq42 = "../../../../creusot-contracts/src/logic/seq.rs" 455 22 455 26 + let%span sseq43 = "../../../../creusot-contracts/src/logic/seq.rs" 454 14 454 34 let%span sint44 = "../../../../creusot-contracts/src/logic/int.rs" 60 14 60 31 let%span sghost45 = "../../../../creusot-contracts/src/ghost.rs" 199 22 199 26 let%span sghost46 = "../../../../creusot-contracts/src/ghost.rs" 199 4 199 32 let%span sghost47 = "../../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sseq48 = "../../../../creusot-contracts/src/logic/seq.rs" 516 22 516 26 - let%span sseq49 = "../../../../creusot-contracts/src/logic/seq.rs" 516 4 516 53 - let%span sseq50 = "../../../../creusot-contracts/src/logic/seq.rs" 512 14 515 5 - let%span sseq51 = "../../../../creusot-contracts/src/logic/seq.rs" 547 30 547 34 - let%span sseq52 = "../../../../creusot-contracts/src/logic/seq.rs" 547 4 547 65 - let%span sseq53 = "../../../../creusot-contracts/src/logic/seq.rs" 541 14 544 5 - let%span sseq54 = "../../../../creusot-contracts/src/logic/seq.rs" 545 14 545 84 - let%span sseq55 = "../../../../creusot-contracts/src/logic/seq.rs" 546 14 546 44 - let%span sseq56 = "../../../../creusot-contracts/src/logic/seq.rs" 574 31 574 35 - let%span sseq57 = "../../../../creusot-contracts/src/logic/seq.rs" 574 4 574 49 - let%span sseq58 = "../../../../creusot-contracts/src/logic/seq.rs" 570 14 573 5 + let%span sseq48 = "../../../../creusot-contracts/src/logic/seq.rs" 526 22 526 26 + let%span sseq49 = "../../../../creusot-contracts/src/logic/seq.rs" 526 4 526 53 + let%span sseq50 = "../../../../creusot-contracts/src/logic/seq.rs" 522 14 525 5 + let%span sseq51 = "../../../../creusot-contracts/src/logic/seq.rs" 557 30 557 34 + let%span sseq52 = "../../../../creusot-contracts/src/logic/seq.rs" 557 4 557 65 + let%span sseq53 = "../../../../creusot-contracts/src/logic/seq.rs" 551 14 554 5 + let%span sseq54 = "../../../../creusot-contracts/src/logic/seq.rs" 555 14 555 84 + let%span sseq55 = "../../../../creusot-contracts/src/logic/seq.rs" 556 14 556 44 + let%span sseq56 = "../../../../creusot-contracts/src/logic/seq.rs" 584 31 584 35 + let%span sseq57 = "../../../../creusot-contracts/src/logic/seq.rs" 584 4 584 49 + let%span sseq58 = "../../../../creusot-contracts/src/logic/seq.rs" 580 14 583 5 let%span sghost59 = "../../../../creusot-contracts/src/ghost.rs" 181 15 181 16 let%span sghost60 = "../../../../creusot-contracts/src/ghost.rs" 181 4 181 28 let%span sghost61 = "../../../../creusot-contracts/src/ghost.rs" 179 14 179 28 - let%span sseq62 = "../../../../creusot-contracts/src/logic/seq.rs" 466 33 466 37 - let%span sseq63 = "../../../../creusot-contracts/src/logic/seq.rs" 466 39 466 40 - let%span sseq64 = "../../../../creusot-contracts/src/logic/seq.rs" 465 14 465 41 - let%span sseq65 = "../../../../creusot-contracts/src/logic/seq.rs" 600 32 600 36 - let%span sseq66 = "../../../../creusot-contracts/src/logic/seq.rs" 600 4 600 50 - let%span sseq67 = "../../../../creusot-contracts/src/logic/seq.rs" 596 14 599 5 + let%span sseq62 = "../../../../creusot-contracts/src/logic/seq.rs" 476 33 476 37 + let%span sseq63 = "../../../../creusot-contracts/src/logic/seq.rs" 476 39 476 40 + let%span sseq64 = "../../../../creusot-contracts/src/logic/seq.rs" 475 14 475 41 + let%span sseq65 = "../../../../creusot-contracts/src/logic/seq.rs" 610 32 610 36 + let%span sseq66 = "../../../../creusot-contracts/src/logic/seq.rs" 610 4 610 50 + let%span sseq67 = "../../../../creusot-contracts/src/logic/seq.rs" 606 14 609 5 let%span sresolve68 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sseq69 = "../../../../creusot-contracts/src/logic/seq.rs" 251 8 251 27 diff --git a/creusot/tests/should_succeed/hashmap.coma b/creusot/tests/should_succeed/hashmap.coma index 6d44553771..96141d19c8 100644 --- a/creusot/tests/should_succeed/hashmap.coma +++ b/creusot/tests/should_succeed/hashmap.coma @@ -136,7 +136,7 @@ module M_hashmap__qyi15467499327297494705__resolve_coherence [#"hashmap.rs" 116 let%span shashmap16 = "hashmap.rs" 133 12 133 91 let%span shashmap17 = "hashmap.rs" 41 12 44 13 let%span svec18 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq19 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq19 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed20 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -348,7 +348,7 @@ module M_hashmap__qyi7664122466964245986__new [#"hashmap.rs" 152 4 152 46] (* My let%span shashmap13 = "hashmap.rs" 133 12 133 91 let%span shashmap14 = "hashmap.rs" 41 12 44 13 let%span sboxed15 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq16 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq16 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 type t_K'0 @@ -575,7 +575,7 @@ module M_hashmap__qyi7664122466964245986__add [#"hashmap.rs" 158 4 158 41] (* My let%span sindex41 = "../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span sinvariant42 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sresolve43 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - let%span sseq44 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq44 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span shashmap45 = "hashmap.rs" 143 12 144 139 use prelude.prelude.Snapshot @@ -1152,7 +1152,7 @@ module M_hashmap__qyi7664122466964245986__get [#"hashmap.rs" 190 4 190 43] (* My let%span shashmap26 = "hashmap.rs" 133 12 133 91 let%span shashmap27 = "hashmap.rs" 41 12 44 13 let%span sboxed28 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq29 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq29 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 use prelude.prelude.Borrow @@ -1534,7 +1534,7 @@ module M_hashmap__qyi7664122466964245986__resize [#"hashmap.rs" 209 4 209 24] (* let%span sinvariant57 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sresolve58 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 let%span sboxed59 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq60 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq60 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 use prelude.prelude.Snapshot @@ -2508,7 +2508,7 @@ module M_hashmap__qyi15467499327297494705__resolve_coherence__refines [#"hashmap let%span shashmap13 = "hashmap.rs" 133 12 133 91 let%span shashmap14 = "hashmap.rs" 41 12 44 13 let%span svec15 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq16 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq16 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed17 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/heapsort_generic.coma b/creusot/tests/should_succeed/heapsort_generic.coma index 224550a748..ac5ca71415 100644 --- a/creusot/tests/should_succeed/heapsort_generic.coma +++ b/creusot/tests/should_succeed/heapsort_generic.coma @@ -176,7 +176,7 @@ module M_heapsort_generic__sift_down [#"heapsort_generic.rs" 41 0 43 29] let%span svec63 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sslice64 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant65 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq66 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq66 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed67 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot @@ -689,7 +689,7 @@ module M_heapsort_generic__heap_sort [#"heapsort_generic.rs" 94 0 96 29] let%span sinvariant72 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice73 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant74 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq75 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq75 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed76 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot diff --git a/creusot/tests/should_succeed/hillel.coma b/creusot/tests/should_succeed/hillel.coma index 70594d91f1..92d67b95cc 100644 --- a/creusot/tests/should_succeed/hillel.coma +++ b/creusot/tests/should_succeed/hillel.coma @@ -24,7 +24,7 @@ module M_hillel__right_pad [#"hillel.rs" 17 0 17 59] let%span svec22 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant23 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant24 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq25 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq25 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed26 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot @@ -243,7 +243,7 @@ module M_hillel__left_pad [#"hillel.rs" 34 0 34 58] let%span svec27 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant28 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant29 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq30 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq30 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed31 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot @@ -534,7 +534,7 @@ module M_hillel__insert_unique [#"hillel.rs" 80 0 80 62] let%span sslice52 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 let%span sslice53 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sindex54 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sseq55 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq55 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sinvariant56 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span svec57 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant58 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 @@ -1055,7 +1055,7 @@ module M_hillel__unique [#"hillel.rs" 102 0 102 56] let%span svec56 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant57 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant58 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq59 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq59 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sslice60 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sboxed61 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 diff --git a/creusot/tests/should_succeed/iterators/02_iter_mut.coma b/creusot/tests/should_succeed/iterators/02_iter_mut.coma index 6dc2b28ac7..d8c0cdad41 100644 --- a/creusot/tests/should_succeed/iterators/02_iter_mut.coma +++ b/creusot/tests/should_succeed/iterators/02_iter_mut.coma @@ -227,7 +227,7 @@ module M_02_iter_mut__qyi4305820612590367313__next [#"02_iter_mut.rs" 64 4 64 44 let%span sinvariant14 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice15 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span s02_iter_mut16 = "02_iter_mut.rs" 23 20 23 64 - let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed18 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -456,7 +456,7 @@ module M_02_iter_mut__qyi7060081090368749043__into_iter [#"02_iter_mut.rs" 71 4 let%span sslice5 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sinvariant6 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice7 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq8 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq8 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed9 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -568,7 +568,7 @@ module M_02_iter_mut__iter_mut [#"02_iter_mut.rs" 79 0 79 55] let%span sslice19 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant20 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span s02_iter_mut21 = "02_iter_mut.rs" 23 20 23 64 - let%span sseq22 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq22 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed23 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -1129,7 +1129,7 @@ module M_02_iter_mut__qyi9908912287408438076__resolve_coherence__refines [#"02_i let%span sslice6 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sinvariant7 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice8 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq9 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq9 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed10 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -1322,7 +1322,7 @@ module M_02_iter_mut__qyi4305820612590367313__next__refines [#"02_iter_mut.rs" 6 let%span sindex10 = "../../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 let%span s02_iter_mut11 = "02_iter_mut.rs" 23 20 23 64 let%span sslice12 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed14 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/iterators/03_std_iterators.coma b/creusot/tests/should_succeed/iterators/03_std_iterators.coma index cb7da2c3f9..1f3a9b3f17 100644 --- a/creusot/tests/should_succeed/iterators/03_std_iterators.coma +++ b/creusot/tests/should_succeed/iterators/03_std_iterators.coma @@ -29,7 +29,7 @@ module M_03_std_iterators__slice_iter [#"03_std_iterators.rs" 6 0 6 42] let%span sslice27 = "../../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 let%span sslice28 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sindex29 = "../../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sseq30 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq30 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span smodel31 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 let%span sinvariant32 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sboxed33 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 @@ -340,7 +340,7 @@ module M_03_std_iterators__vec_iter [#"03_std_iterators.rs" 17 0 17 41] let%span sresolve25 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span svec26 = "../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 let%span sindex27 = "../../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sseq28 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq28 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span smodel29 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 let%span sslice30 = "../../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 let%span sslice31 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 @@ -2287,7 +2287,7 @@ module M_03_std_iterators__my_reverse [#"03_std_iterators.rs" 94 0 94 37] let%span sslice54 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant55 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant56 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq57 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq57 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed58 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend.coma b/creusot/tests/should_succeed/iterators/08_collect_extend.coma index aedea4bc3a..50f3f4a7ec 100644 --- a/creusot/tests/should_succeed/iterators/08_collect_extend.coma +++ b/creusot/tests/should_succeed/iterators/08_collect_extend.coma @@ -24,7 +24,7 @@ module M_08_collect_extend__extend [#"08_collect_extend.rs" 26 0 26 66] let%span siter22 = "../../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 let%span sresolve23 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant24 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span svec26 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sboxed27 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 @@ -345,7 +345,7 @@ module M_08_collect_extend__collect [#"08_collect_extend.rs" 44 0 44 52] let%span sresolve21 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span smodel22 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 let%span svec23 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sinvariant25 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sboxed26 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 diff --git a/creusot/tests/should_succeed/knapsack.coma b/creusot/tests/should_succeed/knapsack.coma index 7dd3a4f210..2f83db4b1a 100644 --- a/creusot/tests/should_succeed/knapsack.coma +++ b/creusot/tests/should_succeed/knapsack.coma @@ -146,7 +146,7 @@ module M_knapsack__knapsack01_dyn [#"knapsack.rs" 49 0 49 91] let%span svec55 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant56 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sinvariant57 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq58 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq58 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed59 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize diff --git a/creusot/tests/should_succeed/knapsack_full.coma b/creusot/tests/should_succeed/knapsack_full.coma index 0e61063972..88a92da694 100644 --- a/creusot/tests/should_succeed/knapsack_full.coma +++ b/creusot/tests/should_succeed/knapsack_full.coma @@ -408,7 +408,7 @@ module M_knapsack_full__knapsack01_dyn [#"knapsack_full.rs" 86 0 86 91] let%span svec103 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant104 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sinvariant105 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq106 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq106 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed107 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize diff --git a/creusot/tests/should_succeed/linked_list.coma b/creusot/tests/should_succeed/linked_list.coma index 4840042900..699904ecbe 100644 --- a/creusot/tests/should_succeed/linked_list.coma +++ b/creusot/tests/should_succeed/linked_list.coma @@ -5,8 +5,8 @@ module M_linked_list__qyi14323471455460008969__new [#"linked_list.rs" 72 4 72 27 let%span slinked_list3 = "linked_list.rs" 72 20 72 27 let%span slinked_list4 = "linked_list.rs" 71 14 71 35 let%span sptr5 = "../../../creusot-contracts/src/std/ptr.rs" 121 22 121 44 - let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 421 4 421 34 - let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 419 14 419 36 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 431 4 431 34 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 429 14 429 36 let%span slinked_list8 = "linked_list.rs" 48 12 48 74 let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 @@ -14,7 +14,7 @@ module M_linked_list__qyi14323471455460008969__new [#"linked_list.rs" 72 4 72 27 let%span slinked_list12 = "linked_list.rs" 67 4 67 41 let%span slinked_list13 = "linked_list.rs" 26 12 36 69 let%span sboxed14 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sptr_own16 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 use prelude.prelude.Opaque @@ -215,9 +215,9 @@ module M_linked_list__qyi14323471455460008969__push_back [#"linked_list.rs" 77 4 let%span sghost26 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 let%span sghost27 = "../../../creusot-contracts/src/ghost.rs" 199 4 199 32 let%span sghost28 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sseq29 = "../../../creusot-contracts/src/logic/seq.rs" 488 32 488 36 - let%span sseq30 = "../../../creusot-contracts/src/logic/seq.rs" 488 38 488 39 - let%span sseq31 = "../../../creusot-contracts/src/logic/seq.rs" 487 14 487 40 + let%span sseq29 = "../../../creusot-contracts/src/logic/seq.rs" 498 32 498 36 + let%span sseq30 = "../../../creusot-contracts/src/logic/seq.rs" 498 38 498 39 + let%span sseq31 = "../../../creusot-contracts/src/logic/seq.rs" 497 14 497 40 let%span sghost32 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 let%span sghost33 = "../../../creusot-contracts/src/ghost.rs" 181 4 181 28 let%span sghost34 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 @@ -226,20 +226,20 @@ module M_linked_list__qyi14323471455460008969__push_back [#"linked_list.rs" 77 4 let%span sghost37 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 let%span sghost38 = "../../../creusot-contracts/src/ghost.rs" 69 4 69 36 let%span sghost39 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sseq40 = "../../../creusot-contracts/src/logic/seq.rs" 445 22 445 26 - let%span sseq41 = "../../../creusot-contracts/src/logic/seq.rs" 444 14 444 34 + let%span sseq40 = "../../../creusot-contracts/src/logic/seq.rs" 455 22 455 26 + let%span sseq41 = "../../../creusot-contracts/src/logic/seq.rs" 454 14 454 34 let%span slinked_list42 = "linked_list.rs" 56 10 56 25 - let%span sseq43 = "../../../creusot-contracts/src/logic/seq.rs" 547 30 547 34 - let%span sseq44 = "../../../creusot-contracts/src/logic/seq.rs" 547 4 547 65 - let%span sseq45 = "../../../creusot-contracts/src/logic/seq.rs" 541 14 544 5 - let%span sseq46 = "../../../creusot-contracts/src/logic/seq.rs" 545 14 545 84 - let%span sseq47 = "../../../creusot-contracts/src/logic/seq.rs" 546 14 546 44 + let%span sseq43 = "../../../creusot-contracts/src/logic/seq.rs" 557 30 557 34 + let%span sseq44 = "../../../creusot-contracts/src/logic/seq.rs" 557 4 557 65 + let%span sseq45 = "../../../creusot-contracts/src/logic/seq.rs" 551 14 554 5 + let%span sseq46 = "../../../creusot-contracts/src/logic/seq.rs" 555 14 555 84 + let%span sseq47 = "../../../creusot-contracts/src/logic/seq.rs" 556 14 556 44 let%span soption48 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 let%span slinked_list49 = "linked_list.rs" 67 4 67 41 let%span sinvariant50 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sseq51 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 let%span sboxed52 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq53 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq53 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sresolve54 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 let%span sptr_own55 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 let%span sinvariant56 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 @@ -976,9 +976,9 @@ module M_linked_list__qyi14323471455460008969__push_front [#"linked_list.rs" 100 let%span sghost18 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 let%span sghost19 = "../../../creusot-contracts/src/ghost.rs" 199 4 199 32 let%span sghost20 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sseq21 = "../../../creusot-contracts/src/logic/seq.rs" 466 33 466 37 - let%span sseq22 = "../../../creusot-contracts/src/logic/seq.rs" 466 39 466 40 - let%span sseq23 = "../../../creusot-contracts/src/logic/seq.rs" 465 14 465 41 + let%span sseq21 = "../../../creusot-contracts/src/logic/seq.rs" 476 33 476 37 + let%span sseq22 = "../../../creusot-contracts/src/logic/seq.rs" 476 39 476 40 + let%span sseq23 = "../../../creusot-contracts/src/logic/seq.rs" 475 14 475 41 let%span sghost24 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 let%span sghost25 = "../../../creusot-contracts/src/ghost.rs" 181 4 181 28 let%span sghost26 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 @@ -986,7 +986,7 @@ module M_linked_list__qyi14323471455460008969__push_front [#"linked_list.rs" 100 let%span sresolve28 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span slinked_list29 = "linked_list.rs" 67 4 67 41 let%span sinvariant30 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq31 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq31 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sresolve32 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 let%span sboxed33 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 let%span sptr_own34 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 diff --git a/creusot/tests/should_succeed/selection_sort_generic.coma b/creusot/tests/should_succeed/selection_sort_generic.coma index 4efd70dba4..3a397dfc7d 100644 --- a/creusot/tests/should_succeed/selection_sort_generic.coma +++ b/creusot/tests/should_succeed/selection_sort_generic.coma @@ -74,7 +74,7 @@ module M_selection_sort_generic__selection_sort [#"selection_sort_generic.rs" 30 let%span sslice72 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant73 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant74 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq75 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq75 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed76 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot diff --git a/creusot/tests/should_succeed/slices/01.coma b/creusot/tests/should_succeed/slices/01.coma index 783e2e70b5..cc2a4f0003 100644 --- a/creusot/tests/should_succeed/slices/01.coma +++ b/creusot/tests/should_succeed/slices/01.coma @@ -157,7 +157,7 @@ module M_01__slice_first [#"01.rs" 20 0 20 44] let%span sslice10 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sinvariant11 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sslice12 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed14 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/sparse_array.coma b/creusot/tests/should_succeed/sparse_array.coma index 1f3157eebb..b15308e89a 100644 --- a/creusot/tests/should_succeed/sparse_array.coma +++ b/creusot/tests/should_succeed/sparse_array.coma @@ -13,7 +13,7 @@ module M_sparse_array__qyi13879026616235705248__resolve_coherence [#"sparse_arra let%span svec11 = "../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 let%span ssparse_array12 = "sparse_array.rs" 68 12 76 17 let%span svec13 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq14 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq14 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed15 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -227,7 +227,7 @@ module M_sparse_array__qyi912363311032332466__get [#"sparse_array.rs" 105 4 105 let%span sindex14 = "../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span ssparse_array15 = "sparse_array.rs" 68 12 76 17 let%span svec16 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq17 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq17 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed18 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize @@ -514,7 +514,7 @@ module M_sparse_array__qyi912363311032332466__lemma_permutation [#"sparse_array. let%span ssparse_array7 = "sparse_array.rs" 68 12 76 17 let%span svec8 = "../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 let%span svec9 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed11 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize @@ -681,7 +681,7 @@ module M_sparse_array__qyi912363311032332466__set [#"sparse_array.rs" 129 4 129 let%span svec31 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant32 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span ssparse_array33 = "sparse_array.rs" 68 12 76 17 - let%span sseq34 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq34 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed35 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -1098,7 +1098,7 @@ module M_sparse_array__create [#"sparse_array.rs" 151 0 151 56] let%span ssparse_array12 = "sparse_array.rs" 89 20 90 52 let%span ssparse_array13 = "sparse_array.rs" 68 12 76 17 let%span svec14 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 type t_T'0 @@ -1679,7 +1679,7 @@ module M_sparse_array__qyi13879026616235705248__resolve_coherence__refines [#"sp let%span svec8 = "../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 let%span ssparse_array9 = "sparse_array.rs" 68 12 76 17 let%span svec10 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed12 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/sparse_array/why3session.xml b/creusot/tests/should_succeed/sparse_array/why3session.xml index c438d10e8c..ad69af7842 100644 --- a/creusot/tests/should_succeed/sparse_array/why3session.xml +++ b/creusot/tests/should_succeed/sparse_array/why3session.xml @@ -4,13 +4,13 @@ - + - + @@ -38,7 +38,7 @@ - + @@ -62,14 +62,12 @@ - - @@ -80,7 +78,6 @@ - @@ -95,7 +92,7 @@ - + @@ -103,7 +100,6 @@ - @@ -112,8 +108,7 @@ - - + @@ -132,19 +127,17 @@ - + - - @@ -157,12 +150,12 @@ - + - + diff --git a/creusot/tests/should_succeed/sparse_array/why3shapes.gz b/creusot/tests/should_succeed/sparse_array/why3shapes.gz index 2a742f7004..aa6aaafaf8 100644 Binary files a/creusot/tests/should_succeed/sparse_array/why3shapes.gz and b/creusot/tests/should_succeed/sparse_array/why3shapes.gz differ diff --git a/creusot/tests/should_succeed/take_first_mut.coma b/creusot/tests/should_succeed/take_first_mut.coma index 2675be451d..1a5bff38a7 100644 --- a/creusot/tests/should_succeed/take_first_mut.coma +++ b/creusot/tests/should_succeed/take_first_mut.coma @@ -14,7 +14,7 @@ module M_take_first_mut__take_first_mut [#"take_first_mut.rs" 14 0 14 74] let%span sresolve12 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice14 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/traits/16_impl_cloning.coma b/creusot/tests/should_succeed/traits/16_impl_cloning.coma index 3a2eea5c93..1742955d5b 100644 --- a/creusot/tests/should_succeed/traits/16_impl_cloning.coma +++ b/creusot/tests/should_succeed/traits/16_impl_cloning.coma @@ -6,7 +6,7 @@ module M_16_impl_cloning__test [#"16_impl_cloning.rs" 16 0 16 30] let%span sinvariant4 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span svec5 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span svec6 = "../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 - let%span sseq7 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq7 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed8 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/type_invariants/vec_inv.coma b/creusot/tests/should_succeed/type_invariants/vec_inv.coma index f409ef5a34..9e3d550bcf 100644 --- a/creusot/tests/should_succeed/type_invariants/vec_inv.coma +++ b/creusot/tests/should_succeed/type_invariants/vec_inv.coma @@ -7,7 +7,7 @@ module M_vec_inv__vec [#"vec_inv.rs" 18 0 18 32] let%span svec5 = "../../../../creusot-contracts/src/std/vec.rs" 49 20 49 83 let%span svec6 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sresolve7 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sseq8 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq8 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed9 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 let%span sinvariant10 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span svec_inv11 = "vec_inv.rs" 13 20 13 43 diff --git a/creusot/tests/should_succeed/vector/02_gnome.coma b/creusot/tests/should_succeed/vector/02_gnome.coma index abef160bf1..fbef0a0559 100644 --- a/creusot/tests/should_succeed/vector/02_gnome.coma +++ b/creusot/tests/should_succeed/vector/02_gnome.coma @@ -54,7 +54,7 @@ module M_02_gnome__gnome_sort [#"02_gnome.rs" 22 0 24 29] let%span sslice52 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant53 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant54 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq55 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq55 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed56 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot diff --git a/creusot/tests/should_succeed/vector/03_knuth_shuffle.coma b/creusot/tests/should_succeed/vector/03_knuth_shuffle.coma index 39fbc17b1c..3017bc95e8 100644 --- a/creusot/tests/should_succeed/vector/03_knuth_shuffle.coma +++ b/creusot/tests/should_succeed/vector/03_knuth_shuffle.coma @@ -41,7 +41,7 @@ module M_03_knuth_shuffle__knuth_shuffle [#"03_knuth_shuffle.rs" 13 0 13 39] let%span sslice39 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant40 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant41 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq42 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq42 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed43 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot diff --git a/creusot/tests/should_succeed/vector/05_binary_search_generic.coma b/creusot/tests/should_succeed/vector/05_binary_search_generic.coma index b91900894a..ab275ff984 100644 --- a/creusot/tests/should_succeed/vector/05_binary_search_generic.coma +++ b/creusot/tests/should_succeed/vector/05_binary_search_generic.coma @@ -46,7 +46,7 @@ module M_05_binary_search_generic__binary_search [#"05_binary_search_generic.rs" let%span sindex44 = "../../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span sinvariant45 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span svec46 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq47 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq47 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed48 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/vector/07_read_write.coma b/creusot/tests/should_succeed/vector/07_read_write.coma index 44666facea..025e575c50 100644 --- a/creusot/tests/should_succeed/vector/07_read_write.coma +++ b/creusot/tests/should_succeed/vector/07_read_write.coma @@ -22,7 +22,7 @@ module M_07_read_write__read_write [#"07_read_write.rs" 6 0 6 75] let%span svec20 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant21 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant22 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq23 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq23 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed24 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/vector/09_capacity.coma b/creusot/tests/should_succeed/vector/09_capacity.coma index 56392b3f0b..33fb8df275 100644 --- a/creusot/tests/should_succeed/vector/09_capacity.coma +++ b/creusot/tests/should_succeed/vector/09_capacity.coma @@ -15,7 +15,7 @@ module M_09_capacity__change_capacity [#"09_capacity.rs" 6 0 6 41] let%span sresolve13 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span svec14 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant15 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq16 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq16 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed17 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -191,7 +191,7 @@ module M_09_capacity__clear_vec [#"09_capacity.rs" 14 0 14 35] let%span sresolve4 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span svec5 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant6 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq7 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq7 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed8 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow